University server was controlled by hackers for a year
…before anyone found out at Ohio University.
And it’s not a small matter:
- they had likely hundreds of servers, at least 3 were compromised
- at least one of the servers compromised contained Social Security numbers of more than 130,000 people
- the other 2 servers had health records belonging to students treated at the university’s health center stolen, as well as more Social Security numbers.
- penetrated by both US and overseas hackers
The Uni only came to know about it after the FBI discovered someone had remotely taken control of one of the school’s servers. What if they didn’t?
Universities are popular targets for hackers because:
- due to the fact that they store Social Security numbers and other data useful for committing identity thefts
- they don’t take security seriously enough.
- they have to keep information free flowing (maintain delicate balance in flexibility and security), unlike corporations which can issue immediate lockdown
Bill Sams, the school’s CIO said: "We need someone somewhere to come up with a set of best practices for schools."
How hackers managed to get in, according to Sams:
A server supporting the alumni relations department was supposed to be offline. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn’t receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.
The following is a sobering statement for all of us:
"We had a failure of both policies and procedures," Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn’t quicker to order a security audit, Sams replied: "Should we have? Yes. Did we? No."
Written by pinolobu on July 3rd, 2006 with no comments.
Read more articles on case studies.