The University of Florida last week revealed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school.
It’s an incident that is likely to further reinforce the reputation college networks and systems have of being notoriously insecure environments.
The compromised data included the names, dates of birth, Social Security numbers, and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement.
The data had been stored unencrypted in a database on the breached server, it added.
In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn’t be found were affected by the intrusion, according to the statement.
Officials at the university in Gainesville hope that those patients will learn about the data breach through media coverage of yesterday’s disclosure.
The breach was discovered Oct. 3 while the server was being upgraded. The university said IT staffers discovered then that malware had been installed on the system from a remote location.
It added that the server was “immediately disconnected” from the Internet and that stronger security controls have since been put in place. No details about the new controls were disclosed.
The university noted that the breach occurred despite what it said were several previous security measures designed to mitigate such risks, such as encrypting data while it’s in transit and strengthening firewalls and intrusion-detection systems.
A university spokeswoman said that there were multiple reasons why the notifications were sent out more than a month after the breach was first discovered.
Initially, IT workers and external consultants who were brought in to help needed to determine what the scope of the breach was and figure out how many people had been affected.
Later, law enforcement officials asked the university to withhold disclosure while the breach was being investigated, the spokeswoman said. It also needed time to establish a call center and set up a Web site to handle questions from affected individuals.
The spokeswoman added that the time taken by the university was in line with Florida breach disclosure rules that require organizations to notify people about a potential compromise of their personal data within 45 days of its discovery.
As is typical with most disclosures of this sort, the university didn’t identify the kind of server that was breached or specify how the intruder gained access to it.
It also didn’t say when the intrusion began or how long it remained undetected.
In the wake of the discovery of the breach, the university is working to examine nearly 60,000 other computers on its campus to ensure that they aren’t similarly vulnerable to security threats, the spokeswoman said.
A list of data breaches dating back to 2005 that is maintained by the Privacy Rights Clearinghouse shows that about 60 of nearly 300 incidents reported this year were at universities.
A similar list on a Web site called Educational Security Incidents pegs the number of academic breaches this year at an even higher number: 153. But it includes several incidents that happened outside the U.S.
Expectedly, banks and financial institutions have also been a major target of such breaches.
For instance, a couple of weeks ago, researchers at RSA Security Inc.’s FraudAction Research Labs reported that a sophisticated cybercrime group that stole the log-ons to more than 500,000 online bank accounts and almost as many credit cards over the three years that it has maintained an especially devious Trojan horse.
The RSA researchers tracked the Sinowal Trojan horse, also known as Mebroot and Torpig, to a drop server that contained the stolen credentials, said Sean Brady, the product marketing manager at RSA’s ID and access assurance group.
“The sheer enormity makes this unique,” said Brady. “And the scale is very unusual.”
The gang behind Sinowal managed to obtain access to nearly half a million bank accounts and credit cards, a volume RSA dubbed “ruthless” and “extraordinary.”
“And the fact that the Trojan was managed by one group through its history and maintained for nearly three years is also very unusual,” Brady said.
RSA uncovered records that showed the Trojan horse had been in active operation since at least February 2006. “In malware life cycles, that’s ancient, and to keep it up required a high degree of resources and effort.”
The company’s researchers first got onto Sinowal’s trail after they captured a sample of the Trojan horse. An analysis of its code laid out a map back to the drop server. That server was another unusual characteristic of the malware.
“Infection points and drop points go up and down all the time,” Brady said. “They typically have very short lifespans. But this drop site not only stayed up, it showed a sustained collection of log-ons.”
Brady also credited Sinowal’s longevity to its authors’ skills and secrecy.
The Trojan horse has been revised more or less constantly, although there were periods when its creators ramped up the number of variants.
After a lull last February, for example, the number of different versions again spiked in June, then hit slightly lower peaks in August and this month.
The group is also more secretive than most, a trait that served it well. “They don’t outsource, and [they] have all the necessary expertise in-house,” said Brady.
“They don’t open their tool kits to other hackers, either. We suspect that the closed-loop nature of the group contributed to their ability to remain undetected.”
These crooks, like many at the top rungs of the cyberunderworld, work their craft first and foremost as a business.
“We see some evidence that they have employed some practices that you may normally find in businesses that maintain high availability [of IT],” Brady said.
“They’re using some redundancy, some backup effort for the data. They’ve clearly invested in this.”
Sinowal has infected hundreds of thousands of PCs worldwide during its run, and it continues to attack machines.
Once on a system, the malware waits for the user to enter the address to an online bank, credit card company site or another financial URL, then substitutes a fake in place of the real thing.
It’s triggered by more than 2,700 specific Web addresses, a massive number compared with other Trojan horses.
The fake sites collect log-on usernames and passwords to banks and other financial institutions and dupe users into disclosing information those organizations never collect online, such as Social Security numbers.
The Trojan then transmits the stolen credentials and data to the drop server.
“This is one of the more sophisticated pieces of malware out there,” said Brady.
One reason Sinowal has been so successful is that it’s rarely detected by antivirus software. “They struggle to find this one,” Brady said.
That’s not surprising. The Trojan horse includes rootkit elements that infect the PC’s master boot record (MBR), the first sector of a hard drive. Because the hardware looks to that sector before loading anything else, Windows included, the Sinowal is nearly invisible to security software.
The more notable breaches thus far this year include the following incidents:
- In April, Southern Connecticut State University notified 11,000 current and former students that their names, addresses and Social Security numbers may have been accessed by intruders who were using the school’s Web server to host an illicit site, allegedly as part of a spamming operation.
- That same month, Antioch University in Yellow Springs, Ohio, said that the failure to patch a vulnerable ERP server resulted in the potential exposure of data on about 60,000 people.
- And in March, Harvard University disclosed that the personal information of about 10,000 graduate students was exposed after unknown intruders broke into a server that contained data on individuals who had applied to the school for the 2007-2008 academic year or sought student housing.
