ORONO, Maine — A security breach on one of the University of Maine’s servers may have compromised information on people who made purchases through campus-based computer stores at the Orono campus and the University of Arkansas, UMaine announced in a press release Thursday.
Early forensic analysis showed that information from 2,818 individuals — which included as many as 435 credit card numbers and 1,175 Social Security numbers — was stored on the server. The University of Arkansas had up to 1,007 online-only transaction records on the server.
It’s not yet known whether hackers were able to obtain any of that information, said John Forker, chief information security officer for the University of Maine System.
The affected server supported a Web-based tool called Buyers Search Assistant, or BSA, which was a supply chain analysis and marketing system developed by UMaine’s Computer Connection store in 1999.
The University of Arkansas was licensed to share the service with UMaine starting in 2007.
UMaine stopped using the server when it switched to a different system in December 2010 but kept the server on because the University of Arkansas still was using it, according to UMaine Vice President for Finance and Administration Janet Waldron.
University of Arkansas officials first learned of the breach on April 27 after reading an article believed to have been posted to softpedia.com by a group of hackers known as Team GhostShell. The post states that the attack was retaliation for a recent law enforcement crackdown on hacking activities.
The University of Arkansas quickly notified UMaine, which shut down the server.
Investigators and university officials have been trying to assess the damage ever since.
Only individuals who purchased computer parts online through the Computer Connection campus store before December 2010 are at risk, according to Waldron. It’s not yet known whether hackers actually obtained any information from the servers.
No other university data or servers were affected in the attack, according to university officials.
“This was a very isolated incident,” Waldron said.
The Social Security numbers stored on the server were holdovers from the days when students used Social Security numbers for identification rather than assigned student ID numbers.
The Maine State Police Computer Crimes Unit, FBI, UMaine police and information technology staff at the University of Maine System and its flagship campus are investigating the server security breach.
Investigators are working with AllClear ID’s Identity Protection Network to notify affected customers.
Anyone whose information was compromised will receive a year of free identity protection, including credit monitoring, identity theft insurance and alerts regarding credit changes, according to the university.
Forker said investigators are combing through the data that may have been compromised to get a list of individuals that will receive notification.
In 2010, UMaine had a similar situation in which hackers allegedly accessed personal data of more than 4,500 students from the campus counseling center. However, investigators later determined that none of the personal data was uploaded or shared by the supposed hackers.
“This could be the same situation again, we just don’t know,” Waldron said.
“Any time these attacks occur anywhere in the world, it heightens our awareness and vigilance,” Waldron said. “We are committed to maintaining the best computer security efforts to prevent such attacks and safeguard institutional data. It is a constant battle.”
Thank God that my transcript- 4.0 over 8 semesters was not compromised! Whew….
Great, my wife has worked there for years, but we never bought anything tehre until this year. Figures.
Doesn’t sound like there’s any need to be concerned on your part, the update to the story will be going up shortly, and one of the things it states is that only information from online purchases through the Computer Connection store up until December of 2010 is at risk. Sounds like you’re in the clear.
Nick – I’m sure you’ll get to this, but why were there Social Security numbers on the server?
Possibly because up until just a few years ago a student’s ID# was their SSN#. Just a thought.
Justin, Daniel is correct. I’m updating the story as we speak and double checked with UMaine to make sure this was the case. Those SSNs were holdovers from purchases made before UMaine switched to student ID numbers.
It’s been a lot longer than a “few years.”
While I attended school I was transitioned to the new ID# around 2008-2009 is what I thought. I could’t remember exactly.
As of 2005 they were still using SSNs.
Nick: Thanks for the update!
Big F – for Computer Science Courses. How can a University teach Computer Engineering when they cant even secure the University’s own Server.
It was a system designed for on-campus computer stores and most likely was part of some package deal. I doubt that they asked their best computer science teachers for any advice when they made the deal.
too busy spending grant money on wind developement and not on computer security.
Because grant money given to and earned by one department is suppose to be used in one that didn’t apply for it? Someone as conservative, and inherently close minded, as yourself can comprehend that that doesn’t make sense.
it wasn’t made to make sense it was made to say that they are more concerned about their other programs and have not invested the proper time and finances to avoid such situations.
Maybe this will lead to some athletic contests with the U of Arkansas–w0uldn’t that compensate for whatever else happens here?
I never thought UMaine and the University of Arkansas would be connected in the same story.
Many readers are likely pleased that UMaine didn’t share it’s computer-glitch story with a real backwards, redneck college like the University of Mississippi. Isn’t Mississippi and Arkansas usually the gold standard for under-performance and backwardness? Is Maine now bucking for the distinction?
Ole Miss and University of Arkansas are fine schools. How elitist of you.
BEWARE I have found that it is not safe to use credit or debt cards at OMO, my cards have been comprmised twice from transactions I have made there. In the end I wasn’t held responsible for the charges, but I wasnt that impressed
Hackers.. What ever happened to civility, where people helping people was the norm? Be kind, be helpful and your heart will fill with joy.
“This was a very isolated incident,” Waldron said.
It always is.
So my girlfriend, who is a University of Rochester graduate just received an email from her alma matter. It seems UofR data was on this server also.
http://www.rochester.edu/news/show.php?id=4072