March 13 (Bloomberg) -- Harvard University apologized for allowing computer files to be hacked by an ``outsider,'' potentially exposing personal information of about 10,000 graduate students or applicants.
The information that may have been hijacked includes names, Social Security numbers, birth dates, addresses, e-mail addresses, telephone numbers, test scores, school records, and in some cases health information, the Cambridge, Massachusetts, school said yesterday in a statement.
The hacking, discovered Feb. 16 and reported to the FBI, comes as 58 percent of U.S. colleges and universities reported at least one information security incident in the previous year, according to a 2006 survey. Nine percent reported a loss or theft of student data.
``This is really unprofessional, of course, and we're quite upset that something like this would happen at Harvard, of all places,'' said Patrick Hamm, a spokesman for Harvard's Graduate Student Council.
Harvard discovered the attack Feb. 16 after information from 19 graduate student-housing applications appeared on an Internet site called Pirate Bay that hosts anonymous information, said Daniel Moriarty, the university's chief information officer.
The posted information did not include Social Security numbers, birth dates, or other ``data elements that would be of concern for identity theft,'' he said.
Vulnerable Files
Harvard notified graduate students Feb. 20, telling them that ``no personal, private or secure information was made available in the content distributed over the Internet.''
The university later discovered that data from 10,000 admission applications to the Graduate School of Arts & Sciences for the last academic year were vulnerable to the same kind of intrusion, Moriarty said. Of the files that might have been vulnerable, 6,600 include birthdates and Social Security numbers, the school said.
The university has no evidence that the admission- application information was hacked.
``Because it can't be ruled out, the prudent thing we felt was to proceed and notify people,'' Moriarty said.
Kyle Brown, president of the Graduate Student Council, said the university's delay in realizing the extent of the hacking was troubling to him.
`No One Was Really Aware'
``No one was really aware of the scope,'' said Brown, 21. ``That, in of itself, may indicate a problem with the way Harvard goes about securing information. When someone breaks in, we need to know exactly what was compromised, soon.''
Harvard disabled the server soon after learning of the intrusion, removed the sensitive information, addressed the vulnerability and brought it back online on Feb. 21, officials said.
Harvard said it hired Kroll Inc. to provide identity theft- recovery services for people whose information might have been taken.
``Please be assured that we are taking steps to do what we can to prevent future incidents of this kind,'' said Margot Gill, administrative dean of Harvard's Graduate School of Arts and Sciences, in the statement. She said Harvard was ``truly sorry for the inconvenience and concern this incident may cause.''
Kroll will help people obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other protective steps, Harvard said.
UCLA Data Exposed
Kroll, a provider of risk-mitigation services, is a unit of Marsh & McLennan Cos., a professional-services company based in New York.
In January 2007, the University of California, Los Angeles, said names, Social Security numbers and birth dates of 800,000 students, alumni, and staff had been exposed.
Brown, the Graduate Student Council president, said he wasn't surprised that Harvard's computers were penetrated.
``Big bureaucracies don't always do things in the most efficient way, the best way, and Harvard is probably no exception to that,'' he said.
No comments:
Post a Comment