Computer Intrusion
August 5, 2009
UMass Amherst Reports Attack by Computer Hackers on Server; No Evidence of Loss of Personal Information
AMHERST, Mass. – The University of Massachusetts Amherst has suffered an illegal intrusion into its computing network, but there is no evidence of theft of personal information. In the incident, hackers gained access to a departmental server that contained individuals’ Social Security numbers and a very limited amount of credit card information, but there is no evidence that the hackers targeted this particular information nor that they removed large amounts of data from the server.
A detailed analysis by an independent computer forensics company also concluded that the intruders’ attack was not specifically designed to look for personally identifiable information, John Dubach, chief information officer, said. He also said records do not show large amounts of data being extracted from the server, but that the potential for a loss of data did exist for a short period of time. Therefore, based on Massachusetts General Law, Chapter 93H, the university has proceeded to notify the state attorney general and the public. The server contained names and Social Security numbers of students who attended the university between 1982 and 2002 as well as a few others attending before 1982.
Dubach said records show the principal vulnerability occurred over two days, from Sept. 15-16, 2008, with the exposure extending until Oct. 27, 2008. A review began immediately, and a progressive evaluation concluded in May 2009 that the exposure was potentially broad in scope. The forensic experts were then hired to do a detailed analysis.
Recommended improvements include better security training for system administrators; automated software to detect malicious activity; increasing efforts to identify all computers that contain personal information, and retaining network data for longer periods to better assess incidents. A number of these steps have already been taken.
Dubach said, “Protecting the privacy of our students, alumni and all members of the campus community is one of our fundamental responsibilities. We regret that this incident occurred, and we are taking steps to reduce the university’s vulnerability to future attacks.”
Contact: Patrick J. Callahan, 413/545-0444, pjcall@admin.umass.edu