The University of Colorado at Boulder today announced that a computer server in the College of Arts and Sciences' Academic Advising Center, which had been recently attacked with a worm, had exposed 44,998 student names and Social Security numbers, prompting the campus to institute a new series of Information Technology security measures.
The students, enrolled at CU-Boulder from 2002 to the present, are being notified by the University of Colorado at Boulder's College of Arts and Sciences.
CU-Boulder IT security investigators on May 12 discovered that the worm entered the server through a vulnerability in its Symantec anti-virus software. That vulnerability had not been properly patched by Arts and Sciences Advising Center IT staff. CU-Boulder IT security investigators do not believe the hacker who launched the worm was seeking personal data, but rather was attempting to take control of the machine to allow it to infiltrate other computers both on-and-off the CU-Boulder campus.
"The server's security settings were not properly configured and its sensitive data had not been fully protected," said Bobby Schnabel, CU-Boulder vice provost for technology. "Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted."
Todd Gleeson, dean of CU-Boulder's College of Arts and Sciences, said he would request that all Arts and Sciences Advising Center IT operations be placed under the direct central control of CU's Information Technology Services department. He said all of the students whose data were exposed are being notified through letters from the college mailed to their homes.
"We have also taken steps to ensure that all sensitive personal data have been removed from our Academic Advising Center servers," said Gleeson. "I want to assure our past and present students that we have taken strong measures to protect our advising center computers and our students' personal information."
Students needing more information about protecting themselves following a data exposure can visit a special Web site at .
Besides the measures Gleeson requested for the Arts and Sciences Advising Center, the campus will adopt new IT security measures, according to Chancellor G. P. "Bud" Peterson. These include:
o New steps to envelop the Arts and Sciences Advising Center IT operations and selected other CU-Boulder IT operations under the control of the central ITS department, reducing the practice of distributing IT responsibilities among colleges, schools, academic departments and programs;
o Continuing efforts using the latest software to identify and purge Social Security numbers from all CU-Boulder computers in all departments. CU-Boulder switched from Social Security numbers to a Student Identification number system in 2005;
o Making available to campus IT administrators new host-intrusion detection software;
Other measures that have been taken previously and will continue include:
o Use of a restrictive network firewall installed in August 2006 that has greatly reduced the campus's exposure to vulnerabilities;
o An aggressive security awareness campaign begun in fall 2004;
o A campus risk assessment process to identify campus IT risks and develop programs to mitigate the risks;
o Implementation of required comprehensive minimum-security standards for all campus computers.