A hacker grabbed the Social Security numbers of more than 22,300 current and former students at the US University of Missouri. It is the institution's second data break-in of the year.
According to university officials, the attack was launched from IP addresses in China and Australia and used a Web form for tracking the status of queries to the school's IT help desk. The hacker accessed the names and Social Security numbers of school employees during 2004 who were also current or one-time students; those records had been compiled for a report, but overlooked rather than deleted.
IT staffers noticed unusual activity that began around 5.30am, then tied a large number of database query errors to the problem on Friday. Logs showed that the attacks ended at 9.34am. That day, technicians disabled the account used to access the database from one IP address in China, the other in Australia. The FBI was alerted on May 7.
"The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time," the university reported.
A Web page and toll-free telephone line has been set up to take questions from students, the school said. Officials are also contacting as many of the affected people as possible.
The toll-free line was overwhelmed, a school spokeswoman said, and some callers heard a recording that the desk was closed. That problem has been solved by boosting the staff answering the phones. US Computerworld magazine confirmed that the hot line was working, with wait times of approximately three minutes.
This is the second incident at the University of Missouri in recent months. In February, the school acknowledged that a server attack in January might have exposed the identities of 1220 researchers on the university's four campuses. The spokeswoman declined to comment on whether there could be any connection between the two events.
In its message to potential identity theft victims, the school said it "takes this matter very seriously" and noted it wasn't the only organization to be attacked. "All companies or organizations using the Internet to serve their customers face this challenge." Last year, reported the Columbia Missourian, then-university president Elson Floyd ordered that employee Social Security numbers information be deleted from online databases.
Universities are a frequent target of identity thieves, according to the data breach chronology compiled by the Privacy Rights Clearinghouse. Since Jan. 1, 27 US colleges or universities have been victimized by attackers. The list includes well-known institutions such as Notre Dame, Ohio State, Purdue and Rutgers. Several, in fact, have been hit multiple times: Notre Dame, the University of Idaho and the University of New Mexico each suffered two attacks in the first four months of 2007.