BANGOR, Maine — A “tragedy of errors” led to the compromise of Social Security and credit card information stored on a University of Maine server last month, according to the University of Maine System’s information technology chief.
John Forker, who has led the system’s Information Technology Office since May 2011, said the university has taken large strides to continue safeguarding the information of its students and employees, but a series of unusual circumstances allowed hackers to slip through.
The compromised server stored customer information gathered by what was, at the time, a state-of-the-art supply chain analysis and marketing system developed in 1999 by UMaine’s Computer Connection store to keep track of sales information.
The University of Arkansas had an agreement with UMaine to use this Buyers Search Assistant, or BSA, software for its own computer store.
UMaine stopped using the software in 2010 and switched to a different system. UMaine planned on phasing the server out, but kept it running because the University of Arkansas was still using it to process computer part orders.
As soon as the university learned of the breach, it shut down the server.
Forensic analysis showed that information from 2,818 individuals — which included as many as 435 credit card numbers and 1,175 Social Security numbers — was stored on the server. The University of Arkansas had up to 1,007 online-only transaction records on the server.
University of Arkansas officials first learned of the breach on April 27 after reading an article believed to have been posted to softpedia.com by a group of hackers known as Team GhostShell. The post states that the attack was retaliation for a recent law enforcement crackdown on hacking activities.
If hackers did get their hands on credit card numbers, they will only have access to the last four digits. Social security numbers, however, would be complete, according to Forker.
Only individuals who purchased computer parts online through the Computer Connection campus store before December 2010 are at risk, according to UMaine Vice President for Finance and Administration Janet Waldron.
The system still isn’t sure that the hackers were able to obtain the information, but is working with AllClear ID’s Identity Protection Network to notify everyone who had information on the compromised server, just to be safe, Forker said.
IT officials at UMaine and the system office didn’t realize that the server contained sensitive Social Security and credit card information, according to Forker and UMaine’s Executive Director of IT John Gregory, and that information shouldn’t have been stored on that server.
There are more than 500 servers on the Orono campus alone, according to Gregory. Servers known to contain sensitive information receive a heightened level of security oversight, monitoring and more frequent updates, he said.
Gregory said the university’s IT staff may escalate the number of system scans it runs and will double-check servers that receive a lower level of attention in an attempt to track down any unexpected sensitive information.
The incident at UMaine may seem minor when compared to security breaches at other universities and businesses that have compromised the information of hundreds of thousands of individuals.
The day before UMaine announced its breach, the University of North Carolina Charlotte announced that bank account information, names, addresses, Social Security numbers and other information from more than 350,000 students and staff had been compromised because of an error made by an IT official.
“That doesn’t make [the breach at UMaine] OK,” Forker said.
“We look to protect the systems with the highest risk involved, but it doesn’t matter if you’re the victim — if you’re one of 360,000 or you’re one of 1,200,” Forker said.
Shoring up defenses
After a security breach in 2010 compromised the medical data of more than 4,500 UMaine students who used the campus’ counseling center, the system began to take a sharp look at the structure of its information security, according to Waldron.
“Because it happened again … it heightens our awareness a little bit more,” Forker said. “It always does, but I can’t say we’ve been lax in the past two years.”
On the contrary, Forker said, the system hired a consulting firm called Protiviti after the 2010 hack to analyze information security within the system and make recommendations on how to curtail future hacker attacks.
Based on Protiviti’s findings, the system created the Office of Information Security, implemented a new information security policy that went into effect in March 2011 and established “data centers” at the Orono campus and the University of Southern Maine.
The idea behind the data center is to bring as many system and campus servers as possible into one centralized location, where they can be monitored, updated and scanned by IT staff who have immediate physical access to them.
UMaine’s data center is undergoing a renovation that is scheduled to be completed in August or September and will open up capacity to house many more servers, according to Gregory.
The system also began to provide awareness training for its employees. Some 2,500 staff, faculty, administrators and students employees have participated in the training so far.
“Any employee that might have access to sensitive data, they know how to handle it and they know how to protect it,” Forker said.
UMaine isn’t alone in its concerns about potential attacks to its servers. The Maine Community College System, which serves about 18,500 students, takes the threat seriously, according to community college system spokeswoman Helen Pelletier.
“We have numerous protections in place, assess the effectiveness of those protections on an ongoing basis, and have a clear procedure for notifying individuals if their information is ever compromised,” Pelletier wrote in an email. “We have not had to activate the notification provision of the procedure since it was adopted in 2007.”
Officials declined to go into detail about their information security systems and procedures.
Forker said it is an unending challenge for the university system to keep ahead of potential hackers and their attacks.
“People out there are always finding some new way to get in, some new exploit or vulnerability,” he said, but with the new policies and procedures “we’re on the right track.”