University of
ConnecticutIncident
The University of Connecticut issues ID alert about computer security incident
Questions and Answers for Employees, Students and Affiliates
Summary
A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk.
- Exactly when and how did the breach occur, and when was the breach detected?
- How many users are affected?
- What personal information was put at risk?
- Do you know whether any information was stolen?
- What procedures did the University follow with regard to the security breach?
- How do we respond as individuals if we discover fraudulent use of our personal information?
- What steps is the University of Connecticut taking to prevent illegal access of confidential information in the future?
- What has the Univeristy done to notify users?
- Who should I contact if I have any additional questions concerning this security breach?
Exactly when and how did the breach occur, and when was the breach detected?
The breach occurred on October 26, 2003. It was detected on June 20, 2005. The attack took advantage of an insecure service, for which no vendor patch was yet available. Careful analysis of the computer indicates that the original compromise was incomplete.
| back to top |
How many users are affected?
The server has contained the account information of at most 72,000 students, faculty and staff between the time of infection and discovery.
| back to top |
What personal information was put at risk?
The server stored personal information including users NetID, name, social security number, date of birth, and campus address.
| back to top |
Do you know whether any information was stolen?
Results of our examination reveal no indication that any personal information was accessed or extracted. There are several factors about the incident that leads the University to believe that this incident puts its users at low risk of identity theft. They are:
- Part of the attack involved the intruder installing a "backdoor" for later access. The attempt to install this "backdoor" failed.
- The personal information on the server was not easily accessible.
- The nature of the compromise indicates that the server was breached during a broad attack on the Internet, and was not the target of a directed attack. Therefore, the attacker most likely had no knowledge of the kind of data on the server.
| back to top |
What procedures did the University follow with regard to the security breach?
- Immediately upon discovery of the security breach the affected server was removed from the network.
- University senior officials were contacted.
- The University examined and verified that other computers that communicate with the breached server and that contain sensitive information are secured.
- A forensic analysis of the server and network logs was conducted and evaluated to discover the nature of the incident.
| back to top |
How do we respond as individuals if we discover fraudulent use of our personal information?
Individuals whose information has been exposed by this security breach can request a free initial fraud alert to be placed on their credit files by calling any one of the three major national credit bureaus:
Equifax: 888-766-0008
Experian: 888-EXPERIAN (888-397-3742)
Trans Union: 800-680-7289
Individuals may be entitled to receive a free copy of their credit report no more than one time per year from each of the three major national credit bureaus; however, they need to do so by contacting the central agency at https://www.annualcreditreport.com/.
*In addition to consumers who are eligible for a free credit file disclosure through the Annual Credit Report Request Service; consumers in some states are eligible for a free credit file disclosure under state law. Please select your state to determine when free credit reports will become available for you through this site.
If you want to request a credit report today and you are not in one of the states listed above, you can obtain one from any of the nationwide consumer credit reporting companies. If you purchase a report, the price is set by law and will not exceed $9.50.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should file a complaint with the FTC at http://www.consumer.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.
| back to top |
What steps is the University of Connecticut taking to prevent illegal access of confidential information in the future?
To reduce the risk of a potential personal information disclosure, the University is in the process of reviewing its dependence on the Social Security number as a unique identifier. A change to a different method of identifying users will greatly reduce the potential for a personal information disclosure.
The University is auditing other servers and departments that are not directly part of the breached system, but may contain or transmit sensitive information.
The University will continue to implement more stringent network and server access controls and logging while striving to maintain the collaborative environment that makes the University of Connecticut a successful research institution.
| back to top |
What has the Univeristy done to notify users?
The University is posting these questions and answers to a web site along with sending mail to each affected user.
| back to top |
Who should I contact if I have any additional questions concerning this security breach?
If you have any questions regarding this incident please phone the UITS Help Center, at (860) 486-4357, for assistance.
| back to top |