Security breached on Alumni Web site
July 18, 2005
A network security breach was recently found on an ISU Alumni Association computer, potentially exposing personal information of any of the 3,359 people on the association’s Web site. Discovered on July 6, the breach exposed the Social Security numbers of 2,301 customers who used a Web-based form to sign up for Alumni Association-sponsored activities between April 1, 2004 and July 6, 2005. Credit card numbers of 2,379 customers also could have been viewed, according to a release.
Jim Davis, chief information officer for information technology services, said the unknown intruder had been using the computer to distribute movies. It is unknown if the perpetrator viewed or was interested in obtaining personal information, according to an e-mail sent to affected customers.
“All we know for sure is there was an ftp [file transfer protocol] server that was installed on the system,” Davis said. “The exact attack vector is unknown.”
Kate Bruns, assistant director of communications for the Alumni Association, said the computer is being examined by Information Techonolgy staff to determine the method of access. Davis said a second examination by outside consultants should begin within a week.
He said the breach was discovered after IT staff noticed abnormal network traffic.
“This one kind of stuck out a little bit in terms of normal activity,” Davis said. “This popped up as being a big bandwidth user for file transfers.”
The computer had been used to serve the Web sites of the Alumni Association and its student groups. The sites were “partially restored” July 13 after being taken down July 6, according to the release.
ISU Police Capt. Gene Deisinger said his department is assisting Information Technology Services in the ongoing investigation. He said potential charges are unknown.
“It will depend in part on what turns out to have been done,” Deisinger said.
Bruns said most people affected were alumni and students — anyone who filled out an online membership application, event registration or used the online store could be affected. She said a new system is now being developed to take online registrations and purchases and will be put into place as soon as possible.
“We’re not taking any registrations until we have that new system in place,” Bruns said.
Anyone who would like to make a purchase from the Alumni Association or register for an event can call or e-mail them until the new system is in place.
According to the e-mail, it is “highly unlikely” Social Security numbers were stolen, but anyone who believes theirs has been accessed is encouraged to contact the Federal Trade Commission.