Nichole Dobo, The (Wilmington, Del.) News Journal
NEWARK, Del. - A cyberattack on a University of Delaware computer system exposed more than 72,000 people to identity theft and could cost the school millions of dollars - and the full extent of the security breach hasn't been determined.
Hackers exploited a security flaw in Web-based software the university used and stole names, addresses, Social Security numbers and university identification numbers of current and past employees, including student workers, school officials said Tuesday.
It's not yet known if they managed to copy other sensitive records from the software, which the university uses to conduct business services such as payroll.
Officials did not say how far back the stolen employee records date. The investigation is ongoing, and University of Delaware officials could not rule out the possibility that they might discover additional problems.
The attack was "particularly aggressive and particularly nasty," said Carl Jacobson, UD's vice president of information technology.
An information technology worker doing routine checks discovered the possibility of a problem July 22, Jacobson said. Officials believe the records were stolen a few days earlier, July 17. The university notified the FBI and has hired outside experts to help assess and mitigate the damage.
The hackers targeted UD's use of Java-supported Struts2, an open-source, free software program developed by teams at the Apache Foundation, Jacobson said.
Though not required by law, the university will pay for credit monitoring for three years for those whose data was stolen. The university is sending out letters and emails to affected people. People also can check their status at www.udel.edu/it/response.
"We want people to know we are going to take care of them," Jacobson said.
The university hired Mandiant, a firm used recently by The New York Times to investigate a hacking at the newspaper. Meanwhile, Kroll Advisory Solutions is working with individuals who had their data stolen, Jacobson said.
Some of the university's notification e-mails were going to recipients' spam folders, and other recipients initially thought the notice itself was fake.
Philosophy Professor Jeffrey Jordan said he learned of the problem via an e-mail message that was forwarded to him. He suspected it was a phishing attack.
"We just got the e-mail this morning," Jordan said Tuesday. "It was surprising. I didn't think it was real at first."
To get a feel for the scope of the problem, consider that about 4,100 are current UD employees and about 900,000 people live in Delaware.
"This problem is worrisome, and the information that has been made available raises more questions than it answers," said education Professor Jan H. Blits. "The link to the site is, of course, overwhelmed so we can't get through. And we've been told to wait."
Experts pegged the cost of dealing with the problem in the millions of dollars, perhaps as much as $13 million to $19 million, according to estimates calculated using the Ponemon Institute's annual study of data beach costs.
"The problem keeps getting worse," said Mike Hufe, director of the Center of Cyber Security at Wilmington University in New Castle, Del. "It's fairly easy to attack, but it's difficult to fight."
It's not unusual for higher education institutions to be targeted, experts said, and the University of Delaware is not the first to suffer a security breach. In one incident last year, hundreds of thousands of records at the University of Nebraska were exposed.
"Information is currency in the 21st century," said Aaron P. Simpson, a partner at Hunton & Williams who specializes in privacy and cybersecurity breaches. "There is a lot of data everywhere, and bad guys want it because it's valuable."
There were hints late last week that something was wrong at the university.
Online access to functions such as paying tuition bills was unavailable, and a vague but serious-sounding message was posted on those Web pages. University of Delaware officials took down the sites as it worked to contain the problem. Most functions are operational now, Jacobson said.
UD officials waited until this week to tell the community because they had to first figure out what happened and who was affected, Jacobson said. They had to notify law enforcement, patch the software flaw and hire experts to figure out exactly what - if anything - was stolen.
"Companies, correctly, don't want to come out with information that's wrong," Simpson said.
Then there are those looking for news of problems to try to further exploit weaknesses. That makes it critical for the university to thoroughly vet its internal system, said Terry Kurzynski, a partner at Halock Security Labs. Typically, he said, colleges do not do enough to lock down systems to prevent problems.
It's a certainty that UD won't be the last higher education institution to suffer an attack, said Paolo Gasti, a assistant professor of computer science at the New York Institute of Technology.
"There are many parties with an interest, and as long as the data fulfills some of those interests you will always have someone who is willing to spend time and the resources to get that data," he said.
Contributing: Wade Malcolm, Jeff Montgomery and Patrick Sweet, The (Wilmington, Del.) News Journal