ORONO, Maine — A security breach on one of the University of Maine’s servers may have compromised information on people who made purchases through campus-based computer stores at the Orono campus and the University of Arkansas, UMaine announced in a press release Thursday.
Early forensic analysis showed that information from 2,818 individuals — which included as many as 435 credit card numbers and 1,175 Social Security numbers — was stored on the server. The University of Arkansas had up to 1,007 online-only transaction records on the server.
It’s not yet known whether hackers were able to obtain any of that information, said John Forker, chief information security officer for the University of Maine System.
The affected server supported a Web-based tool called Buyers Search Assistant, or BSA, which was a supply chain analysis and marketing system developed by UMaine’s Computer Connection store in 1999.
The University of Arkansas was licensed to share the service with UMaine starting in 2007.
UMaine stopped using the server when it switched to a different system in December 2010 but kept the server on because the University of Arkansas still was using it, according to UMaine Vice President for Finance and Administration Janet Waldron.
University of Arkansas officials first learned of the breach on April 27 after reading an article believed to have been posted to softpedia.com by a group of hackers known as Team GhostShell. The post states that the attack was retaliation for a recent law enforcement crackdown on hacking activities.
The University of Arkansas quickly notified UMaine, which shut down the server.
Investigators and university officials have been trying to assess the damage ever since.
Only individuals who purchased computer parts online through the Computer Connection campus store before December 2010 are at risk, according to Waldron. It’s not yet known whether hackers actually obtained any information from the servers.
No other university data or servers were affected in the attack, according to university officials.
“This was a very isolated incident,” Waldron said.
The Social Security numbers stored on the server were holdovers from the days when students used Social Security numbers for identification rather than assigned student ID numbers.
The Maine State Police Computer Crimes Unit, FBI, UMaine police and information technology staff at the University of Maine System and its flagship campus are investigating the server security breach.
Investigators are working with AllClear ID’s Identity Protection Network to notify affected customers.
Anyone whose information was compromised will receive a year of free identity protection, including credit monitoring, identity theft insurance and alerts regarding credit changes, according to the university.
Forker said investigators are combing through the data that may have been compromised to get a list of individuals that will receive notification.
In 2010, UMaine had a similar situation in which hackers allegedly accessed personal data of more than 4,500 students from the campus counseling center. However, investigators later determined that none of the personal data was uploaded or shared by the supposed hackers.
“This could be the same situation again, we just don’t know,” Waldron said.
“Any time these attacks occur anywhere in the world, it heightens our awareness and vigilance,” Waldron said. “We are committed to maintaining the best computer security efforts to prevent such attacks and safeguard institutional data. It is a constant battle.”