On May 14, 2008, faculty, staff and students received an e-mail from OSU that informed them of a potentially dangerous hack on the information systems on campus and that their identity and information might have been compromised.
Anyone who purchased a parking permit between July 2002 and March 2008 was alerted of this unauthorized intrusion, but was reassured in the e-mail that the Information Technology Security Office immediately removed this server from access to OSU’s database. The IT office believes “that the intruder’s purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.”
All social security numbers were immediately removed upon discovery of the server breach in March, according to information located on the IT Web site. The hacker had control and access to the OSU Parking and Transit system since Nov. 23, 2007, allowing the unidentified party nearly four months of free access to OSU’s database, according to the site.
Gary Shutt, director of OSU Communications, said although the hacker breached in November, the hacker did not illegally use the server connection until February.
Shutt said OSU became aware of this breach in March, shut down the hacker immediately and began a detailed investigation.
The reason OSU took two months to contact faculty, staff and students was because they first contacted federal officials and began a thorough investigation of the intentions and possible actions this hacker might have taken due to the sensitive material housed on the database, he said.
Shutt said since the e-mail and statement on May 14, no one has notified OSU Communications that they have had identity theft or security issues.
Shutt said this is a good sign.
“We still do not believe the purpose was to get personal information on the database,” he said.
Although OSU identified the hacker as not malicious, faculty, staff and students still seem nervous about the hack and about OSU’s ability to fix the problem.
Frustration abounds particularly with students regarding the exposed information.
Graduate teaching assistant Louis Sylvester said he does not think the Parking and Transit Office should have vital information such as social security numbers to begin with.
“After all the crap that students get put through—tickets and the parking hassle on campus—why are they allowed to house and then potentially lose information that would allow someone else to steal my identity?” Sylvester asked.
Shutt said this incident is simply a breakdown in practices.
“We should not have had this information exposed,” he said
After the full transfer of social security numbers to CWID as the primary identifier, incidences like these should lessen, Shutt said.
Other students question the ability and integrity of the OSU Parking and Transit Office.
Brendan Stallings, a theatre senior, said it is remarkable how easy it seems to break into the system.
“In the four years I’ve been here, hackers have infiltrated the information system that houses vital contact information about students about three or four times and then OSU sends out an email saying, ‘by the way,’” Stallings said.
Shutt said OSU has a very large network.
“It’s impossible to monitor everything that is going on,” he said. “Universities are very susceptible to this type of problem.”
Shutt said OSU has started a six-step procedure to prevent further incidents.
“OSU Communications will evaluate system security, expand network monitoring, review current policies and procedures, establish configuration standards, strengthen the registration and access and upgrade IT security training,” Shutt said.
For more information regarding the incident, visit http://idalert.okstate.edu/index.html.
Loading ...
All Articles