A massive security breach of University of Nebraska student records appears to be the malicious work of a skilled perpetrator, the university's information security officer said Saturday.
While there was no evidence the individual copied information into his own system, that is not guaranteed and questions remain, NU's Joshua Mauk said.
“This was a pretty complicated and not easily executed attack on the system,” Mauk said. “It was not a simple attack.”
The computer database holds 654,000 Social Security numbers as well as other personal information. It serves all four NU campuses — one in Lincoln, two in Omaha and one in Kearney.
The situation provides one more example — after incidents at Ohio State, Bank of America, UCLA, Citibank and the University of Hawaii — of the vulnerability of supposedly secure computer records.
At stake is not simply personal information such as grades, but conceivably critical information such as Social Security numbers — which can be used for identity theft — and, in some cases, bank account numbers.
“Unfortunately, it's not all that unusual nowadays, because it can happen many ways,” said Ray Vaughn, founder of the Center for Computer Security Research at Mississippi State University. “That's a very serious data breach when you have that many student records affected.”
Vaughn also said it's hard to say with certainty that the perpetrators failed to download information because sophisticated hackers proficiently cover their strokes.
He said hackers sometimes crack databases for bragging rights and sometimes to make information available to the public, but over the past few years there has been “an exponential increase in hacking for profit.”
Hackers work from Russia, Eastern Europe and China, he said, but the United States has its own thriving hacking community. Vaughn is associate vice president for research at Mississippi State.
NU staffers discovered the breach Wednesday, evidently notified university regents Thursday and sent out a public statement late Friday. Mauk said only a short time lapsed between the breach and the discovery of the breach. NU officials took immediate measures to stop the breach, he said.
Regent Chuck Hassebrook of Lyons, Neb., said it's unsettling news.
“Obviously one has to be nervous about this because we don't know what was taken and who got it,” Hassebrook said.
“What was taken and what was gathered and what harm can be done with it?” Hassebrook asked. “What evil can be done with it?”
NU spokeswoman Melissa Lee said 21,000 people whose bank account information was on the student information system have been alerted.
Regent Randy Ferlic of Omaha said concerns about identity theft and theft from bank accounts are legitimate. “I don't think people understand the severity of the problem,” Ferlic said of such breaches.
An investigation continued Saturday, NU's Mauk said, and included local and federal law enforcement.
“The police are following a lead,” he said.
A security firm will perform forensic analysis, examining the evidence to ascertain who was behind the breach and how it was done, he said. He declined to name the firm.
Mississippi State's Vaughn said that among the multiple ways systems are breached are through a flaw in the operating system or database that makes it easier for hackers to get in; a virus may be planted in the system that enables hackers to gain unauthorized access; and the system may be reconfigured for legitimate purposes, but security is weakened in the process or access control to the system is misconfigured.
Vaughn said his own university had a comparatively small breach a few years ago when permission to access the system was accidentally set to allow the public in, and several hundred records were vulnerable.
He said investigators couldn't tell if files were downloaded, but the university offered credit-service and fraud protection to potential victims.
He praised NU authorities for informing the public what had happened, thus sending an early warning.
Mike Jones, a Board of Regents candidate from David City, said the state has considerable trust in the university and the breach is disappointing. NU should be able to stay ahead of hackers, he said.
He also criticized the approximately 48-hour delay in notifying the public. That's valuable time that individuals could have used to examine bank accounts and take precautions, he said.
NU's Mauk stressed that the university appreciates the importance of protecting student and alumni records. “Yes, we're working nonstop,” he said.
The adversary, he said, was formidable. “It wasn't accidental. It was definitely a targeted attack on our system.”
The university recommends that anyone with concerns go to the Federal Trade Commission's website to review identity theft information.
Contact the writer: