Undergrad suspected in massive Univ. of Nebraska breach
More than 650K personal records were compromised in attack
Officials at the University of Nebraska in Lincoln (UNL) have identified an undergraduate student they say is responsible for a recent intrusion into a university database containing personal information on more than 650,000 students, parents and employees.
Campus police on Wednesday night seized computers and other equipment from the room of the UNL student after tracing the IP address of the computer used in the attack. The seized equipment is currently undergoing forensic analysis, according to information from by the school. The name of the suspect has not been released.
"An arrest has not yet been made," a university spokeswoman said today. "When and if that happens we will release the name of the individual."
The intrusion, which was described by university officials as a "skilled attack," exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students who attended the university since 1985.
Students, alumni and applicants at all four of the university campuses -- Omaha, Lincoln, Kearney and the Medical Center -- were affected by the intrusion. The breach also exposed personal data and financial information for parents of students who applied for financial aid at UNL, according to the university. A staff member in UNL's Computing Services Network discovered the breach in the Nebraska Student Information System (NeSIS) on May 23.
The system is used to manage student admissions, campus housing and course registration. It was built over a three-year period at a cost of $29.9 million, has been operational for the past two years and is based on Oracle's PeopleSoft Enterprise Campus Solution platform. The technology is now in use at more than 800 universities in 20 countries, according to a University of Nebraska description of the software.
An FAQ on the incident posted by the university makes it clear that personal data in the breached server was not encrypted. "However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place," the university said, without offering any further explanation of the attack.
The vulnerability that enabled the intrusion has since been closed and the university is currently working with a third-party firm to review and address remaining vulnerabilities, the FAQ says. All affected individuals have been notified about the potential compromise of their personal data.
Breaches such as these continue to be relatively common in university environments, despite more awareness of the problem. So far this year, there have been at least 32 publicly disclosed breaches involving universities, according to data breach records maintained by Privacy Rights Clearinghouse. A total of 1.17 million personal records have been compromised so far in these incidents.
The breach at UNL is by far the biggest one at a university this year. Earlier this year, SSNs and other personal records of an estimated 350,000 people at the University of North Carolina in Charlotte were exposed when the data became directly accessible over the Internet as the result of a system misconfiguration.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.