University of Wisconsin reported malware was found on a server that stored the names and Social Security numbers of 75,000 students and faculty members.
current faculty and students at the University of Wisconsin-Milwaukee may have
had their Social Security numbers exposed by malware.
planted on a document-management database server may have exposed 75,000
student and staff Social Security numbers and names, the University
said Aug. 10. Considering the amount of
critical research data stored on the server, the malware was most likely after
research data and not personal information, said Tom Luljak, the university
how long the back-door malware was lurking undetected on the server, used by
many departments to store research data and details about current and past
cutting-edge research projects, but officials guessed it was for a "short
period of time."
theorize that the motive was not identity theft, and could find no proof of
attempts to download names or social security numbers," said John
McCarragher, the interim chief information officer at the University of
unclear whether the malware had access to other servers on the university
network. Administrators immediately shut down the server after finding the
malware and "reassessed security before restarting it," said
That is one of
the biggest mistakes organizations make after discovering a breach, Geoff Webb,
senior product marketing manager at Credant Technologies, told eWEEK.
While senior management may be
saying "shut everything down," the security team should resist the pressure and
take the time to investigate what happened without alerting the attackers, Webb
said. If the attackers figure out they've been detected, they would try to
cover their tracks and potentially destroy any evidence on the breached system,
according to Webb.
University's technology staff discovered the malware May 25. The malware, which
had the ability to view all documents stored on the server, was most likely
installed remotely, according to Luljack. Then local and federal law
enforcement authorities investigating the security breach incidentally
discovered June 30 the server also housed a database with Social Security
information for students and employees.
believe anyone got access to the image bank. There is no evidence that the
hackers actually looked at or retrieved any information," Luljak said.
law enforcement and school investigators have not yet found evidence that the
Social Security numbers were actually stolen from the database, the university
sent out a letter to all those who may be affected. Since the data may not have
been stolen, the University of Wisconsin said it would not pay for
credit-monitoring. Instead, it warned students and staff to be vigilant about
monitoring their credit history and putting a freeze on their credit reports.
may fall on deaf ears. A recent report from Javelin Research found that 18- to
24-year olds generally take twice as long to find out their identity has been stolen,
primarily because they are less likely than other age groups to regularly track
activity in their bank accounts and credit cards. This age group was also less
likely to use identity-theft monitoring services, Javelin found.
Even if the
data was not downloaded, the incident is a reminder to organizations to protect
data on their servers and networked devices faculty and administrators use.
Students and staff frequently go off campus, and "data security doesn't
end when they leave campus," Webb said. All mobile devices need to be
encrypted as well.
Wisconsin disclosed its breach a day after California
State Polytechnic University, Pomona
notified 38 current and former
faculty members in the College of Business Administration that their personal
information had been accidentally exposed.
A staff member
on Aug. 2 mistakenly placed two documents containing full names and Social
Security numbers on a shared network, not realizing students and other faculty
and staff could view the files. It doesn't appear the data was copied or
misused, but the university is conducting an internal review of its procedures to
handle confidential data.