Security Breach Hits Wisconsin University Server Storing Student, Faculty SSNs

University of Wisconsin reported malware was found on a server that stored the names and Social Security numbers of 75,000 students and faculty members.

Former and current faculty and students at the University of Wisconsin-Milwaukee may have had their Social Security numbers exposed by malware.

Malware planted on a document-management database server may have exposed 75,000 student and staff Social Security numbers and names, the University of Wisconsin-Milwaukee said Aug. 10. Considering the amount of critical research data stored on the server, the malware was most likely after research data and not personal information, said Tom Luljak, the university vice chancellor.

It's unknown how long the back-door malware was lurking undetected on the server, used by many departments to store research data and details about current and past cutting-edge research projects, but officials guessed it was for a "short period of time."

"Investigators theorize that the motive was not identity theft, and could find no proof of attempts to download names or social security numbers," said John McCarragher, the interim chief information officer at the University of Wisconsin-Milwaukee.

It's also unclear whether the malware had access to other servers on the university network. Administrators immediately shut down the server after finding the malware and "reassessed security before restarting it," said McCarragher.

That is one of the biggest mistakes organizations make after discovering a breach, Geoff Webb, senior product marketing manager at Credant Technologies, told eWEEK. While senior management may be saying "shut everything down," the security team should resist the pressure and take the time to investigate what happened without alerting the attackers, Webb said. If the attackers figure out they've been detected, they would try to cover their tracks and potentially destroy any evidence on the breached system, according to Webb.

The University's technology staff discovered the malware May 25. The malware, which had the ability to view all documents stored on the server, was most likely installed remotely, according to Luljack. Then local and federal law enforcement authorities investigating the security breach incidentally discovered June 30 the server also housed a database with Social Security information for students and employees.

"We don't believe anyone got access to the image bank. There is no evidence that the hackers actually looked at or retrieved any information," Luljak said.

Even though law enforcement and school investigators have not yet found evidence that the Social Security numbers were actually stolen from the database, the university sent out a letter to all those who may be affected. Since the data may not have been stolen, the University of Wisconsin said it would not pay for credit-monitoring. Instead, it warned students and staff to be vigilant about monitoring their credit history and putting a freeze on their credit reports.

The warning may fall on deaf ears. A recent report from Javelin Research found that 18- to 24-year olds generally take twice as long to find out their identity has been stolen, primarily because they are less likely than other age groups to regularly track activity in their bank accounts and credit cards. This age group was also less likely to use identity-theft monitoring services, Javelin found.

Even if the data was not downloaded, the incident is a reminder to organizations to protect data on their servers and networked devices faculty and administrators use. Students and staff frequently go off campus, and "data security doesn't end when they leave campus," Webb said. All mobile devices need to be encrypted as well.

University of Wisconsin disclosed its breach a day after California State Polytechnic University, Pomona notified 38 current and former faculty members in the College of Business Administration that their personal information had been accidentally exposed.

A staff member on Aug. 2 mistakenly placed two documents containing full names and Social Security numbers on a shared network, not realizing students and other faculty and staff could view the files. It doesn't appear the data was copied or misused, but the university is conducting an internal review of its procedures to handle confidential data.