A University of Connecticut server containing personal data on 72,000 students, faculty and staff was breached last week, according to a statement posted at UConn?s Web site.
The server contained personal information, including users? names, Social Security numbers, dates of birth, UConn NetIDs and campus addresses, the university said.
Although there is no evidence that personal data was accessed or extracted, the university plans to contact everyone whose identity may be at risk, according to the statement.
?We moved immediately to protect the data by taking the impacted server off-line,? said Michael Kerntke, the school?s CIO. ?In addition, we verified that other computers that communicate with the breached server [that] may contain sensitive information were secured.?
The hacking incident was discovered after UConn?s IT department received notification from a nonuniversity corporation that an invalid log-on attempt had originated from a computer within the UConn domain. Kerntke said the automated notification prompted IT staffers at the university to look into the incident, and they found that an unauthorized program, known as a rootkit, had been installed on a data center server in October 2003.
?The rootkit was installed on Oct. 23, 2003, but no one knew anything about that until someone with a UConn domain name tried to get into something they weren?t supposed to get into and the vendor told us about it,? said UConn spokeswoman Karen Grava. ?And we investigated and discovered the rootkit. That was the first time anyone knew anything about it.?
The university is not identifying the vendor, she said.
After further investigation, IT workers determined that the server contained personal data for anyone who possessed, on or after that Oct. 23, 2003, date, a UConn NetID -- an account that allows access to university technology resources such as e-mail addresses. That would include faculty, staff, students and vendors at all campuses of the university, including the health center.
The server did not include any information related to the health center?s electronic patient records, and no patient information was affected, said Kerntke.
Kerntke said that the attack took advantage of a vulnerability in the server that was unknown to the university or the manufacturer at the time of the initial breach. A patch has subsequently been developed by the manufacturer to eliminate security breaches, he said.
?The nature of the compromise indicates that the server was breached during a broad attack on the Internet and not the target of a direct attack,? Kerntke said. ?Therefore, the attacker most likely had no knowledge of the kind of data stored on the server.?
He said the university is taking steps to prevent future breaches, including reviewing its dependence on Social Security numbers as a unique identifier; auditing other servers and departments that are not directly part of the breached system but contain or transmit sensitive information; and implementing even more stringent network and server access controls.