The social security numbers and names of almost 450 students and staff may have been compromised in an Aug. 21 security breach of a Rockefeller Library computer. A majority of those affected were students who have recently worked at the library, but information on nearly 15 library employees might have also been leaked.
The problem was discovered when University intruder detection software identified unusually high traffic on a computer in the Rock's administrative offices, Connie Sadler, director of information technology security for Computing and Information Services, told The Herald.
CIS officials discovered that the computer had been hacked by a botnet ? an automated network of potentially thousands of computers that work together, often without the knowledge of the computers' owners ? to send spam messages, Sadler said. When the intrusion was confirmed, University officials removed the hard drive from the network and notified the Federal Bureau of Investigation. This type of attack is common on personal computers, but it is particularly troubling in this case because of the personal information stored on the compromised machine, Sadler said.
In total, payroll information - including names and social security numbers - of 444 people was potentially compromised. Fewer than 15 of these people are library staff members, according to Sadler. The infiltrated computer did not contain other information, such as bank records, birthdays or credit card numbers.
An e-mail was sent out to all of those affected by the breach, providing them with information about the attack and advice for identifying and avoiding identity theft, said Russell Carey '91 MA'06, interim vice president for campus life and student services.
For her part, Sadler characterized the attack as "good news and bad news."
"The bad news is of course that there is some way an individual could get into this machine at all," she said. "The good news is that it appears that, based on the automated nature of the attack, the only thing the intruders were looking for was processing power" and not to get personal information, such as social security numbers.
The hard drive of the hacked computer was sent to a forensic analyst, and Sadler said it is likely the firm will determine that the attack was not intended to gather personal data.
"We are working really hard to tell individuals in departments to not keep confidential information on (personal) workstations and instead to keep it on the server or larger applications that have intrusion detection," Sadler said.
Sadler also said CIS is adding more firewalls ? "gateways" that limit the amount and type of incoming traffic in a network ? to the Rock and other University networks to make networks with secure data "as tight as possible."
Leah Shabshelowitz '08, one of the students whose information may have been compromised, called the incident "unfortunate" but added that situations like this "happen all the time."
"There's nothing I can really do about it," she said.
As for the University's response to the incident, Shabshelowitz said the information she was provided was adequate, but she added that would have liked to know more about what happened.
"I am not really sure how (the University) could have handled it differently though," she said.
