Universities seem to be evergreen targets for hackers, with two more breaches announced in the past week or so.
This time it’s been the turn of North Dakota University System and the prestigious Johns Hopkins University in Baltimore, Maryland, both of which have had to warn their staff and students about potential data theft and identity theft.
The Johns Hopkins breach looks fairly minor at first glance. A web server in the Department of Biomedical Engineering was compromised and a fairly small amount of data extracted.
This was initially thought to be mainly information already publicly available, contact and biographical information for staff, but it was later found to include names and addresses for around 850 current and former students. No financial information, or other sensitive data such as social security numbers (SSNs), is thought to have been taken.
The most interesting aspect to this incident is the involvement of “hacktivists” claiming affiliation to the Anonymous group.
Having broken into the server and gathered the available data, they then apparently contacted the university demanding access to other parts of their networks, threatening to publish the stolen data if their demands weren’t met.
The university, of course, refused to comply and the data was duly posted online, along with a ranting message claiming the action was intended as a punishment for the university’s failure to fully secure its webserver.
Anonymous is by intention a fairly vague and ill-defined collective, and actions carried out in its name may often not have any real association with the rest of the group.
In this case, the tone of the message and the behaviour it accompanies seem almost designed to come across as illogical and pointlessly aggressive, destroying any sympathy the group’s more public-spirited engagements may have inspired.
Johns Hopkins did the right thing in ignoring the extortion attempt, although their public response to the incident may seem a little slow.
The breach itself is thought to have taken place in late 2013, and “came to light” thanks to a Twitter posting in January, but officials do not appear to have gone public with the information until shortly after the failed extortion attempt led to the data being publicly posted online.
That happened on March 6th, with the university’s official statement released the following day.
The North Dakota case is a little more serious, and again public notification appears to have been somewhat delayed.
North Dakota University System (NDUS) comprises several universities and colleges in the North Dakota region, which between them enrolled just under 50,000 new students last year. The body has a pretty hefty budget, with $1.3 billion expected spending this financial year.
Their breach involved a server accessed using compromised login accounts. No information has yet been released on how the account was taken over, but spearphishing is a likely candidate.
The illicit access began in October 2013, and was discovered in early February. Public disclosure was not made until March 3rd.
The systems breached contained personal data, including SSNs but not financial data, on not far short of 300,000 students and several hundred staff.
Initial investigations suggested this information was not accessed or exfiltrated, the server instead being used for other malicious purposes.
However, later reports hint at increased phishing activity targeting associated people, and imply the data was stored unencrypted, contrary to both university policy and good sense.
The NDUS official FAQ on the incident explains the month-long delay in public notification by claiming they needed to examine and secure the server:
Question: Why was there a delay in notifying me about this incident?
Answer: We needed time to conduct an investigation and forensic analysis to properly understand the scope of the incident and who was affected. We also needed to make sure the server was properly secured prior to making notifications that could attract the attention of other attackers.
One would hope that a decent sysadmin would be able to tell you fairly quickly how much sensitive personal data was stored on a given server, and disconnecting a compromised machine from the network, surely the first step as soon as a breach is discovered, shouldn’t take a full month either. A minute or two should be plenty.
Even in these cases, where leakage of data which could be used for identity theft is though to have been minimal or non-existent, informing those whose information may be at risk should be the first priority.
Pondering how great the risk might be, or just how many people might be affected, can be done later on. If there’s any possible danger of exposure, people need to know as soon as possible.
Educational bodies make ideal targets for hacking, combining rich seams of personal information and potentially valuable research data with diverse, under-funded computing systems.
This latest cluster started a few weeks ago with a large breach at the University of Maryland, near neighbours of Johns Hopkins, where again large numbers of records were taken but notification was both prompt and comprehensive.
In that case, as in many others, identity monitoring services have been provided to help people ensure their identities remain their own.
All this seems to strengthen the case for better standards for breach notifications.