Computer Intrusion: FAQ
This page explains the details of the intrusion and precautionary steps to take to protect yourself.
What happened?
UMass Amherst has suffered an illegal intrusion into its computing network. Hackers accessed a departmental server, where some files contained individuals’ Social Security numbers and a very limited amount of credit card information, but at this time there is no evidence to indicate that identity theft actually occurred.
Whose information was stored in this database?
The server contained names and Social Security numbers of students primarily spanning 1982-2002 and a very limited amount of credit card information. A small number of pre-1982 records were also on the server.
When did this occur?
In September 2008, an attacker gained unauthorized access to a server that contained individuals’ Social Security numbers. Records show the principal vulnerability occurred over two days, from Sept. 15-16, 2008, with the exposure extending until Oct. 27, 2008. A review began immediately, and a progressive evaluation concluded in May 2009 that the exposure was potentially broad in scope. Computer forensic experts were hired to assess the incident in detail. Following this review, the university proceeded to notify the state Attorney General, the state office of Consumer Affairs and Business Regulation, and the public, based on Massachusetts General Law, Chapter 93H.
The University’s responsibility
UMass Amherst sincerely regrets and apologizes for any difficulty this security breach may cause individuals who had their personal information exposed as a result. The university takes very seriously its responsibility to protect the personal information entrusted to it. To fully evaluate what occurred and to reduce the university’s vulnerability to future attacks, the forensic experts hired provided a set of recommendations. These include better security training for system administrators; automated software to detect malicious activity; increasing efforts to identify all computers that contain personal information, and retaining network data for longer periods to better assess incidents. A number of these steps have already been taken.
Am I a victim of identity theft?
That is unknown. To date, there is no evidence to indicate that identity theft actually occurred. A detailed analysis by an independent computer forensics company concluded that the intruders’ attack was not specifically designed to look for personally identifiable information. The records do not show large amounts of data being extracted from the server, but a vulnerability did exist for a short period of time. The server contained names and Social Security numbers of students primarily spanning 1982-2002 and a very limited amount of credit card information.
Where can I get more information?
In addition to this Web site, www.umass.edu/computerintrusion, a special Telephone Help Line can be called at (413) 545-8376 from 8 a.m. to 5 p.m. Eastern Daylight Time. E-mail correspondence can be sent to computerintrusion@umass.edu.
The Attorney General’s Office for the Commonwealth of Massachusetts has a special Web section that spells out how to protect yourself when data security is breached and the possibility of identity theft exists. This resource can be found at www.mass.gov/Cago/docs/Consumer/identity_theft_022708.pdf.