Leaked student, admin information taken offline
No sensitive information that could result in identity theft was compromised
October 3, 2012, 5:05 pm·
Leaked private information of over a thousand Penn students and administrators has been removed from the internet, according to a University press release.
A group of anonymous hackers by the name of Team GhostShell posted private information from Penn and other universities across the world on Monday to expose the hacks and vulnerabilities of higher education institutions.
Information from five data tables came from a database in the Office of the Vice Provost of University Life. There were a total of 1,764 entries from Penn, which included names, email addresses, phone numbers and PennCard numbers of students, alumni, faculty and administrators.
The University released an official statement Wednesday afternoon confirming that no sensitive information that could result in identity theft was compromised.
There are no implications for the students whose PennCard numbers were publicized, the release said. “The student ID, also known as the PennID or PennCard number, is used merely as an identifier and without a corresponding password cannot be utilized to gain access to systems.”
Community members whose information had been leaked were notified Wednesday afternoon. Students with additional questions or concerns are encouraged to contact the Office of Audit, Compliance and Privacy.
Information and Systems Computing and the University are continuing its investigation. ISC declined to comment on specifics of the incident and deferred comment to the Office of University Communications.
The system that was breached has since been taken offline and administrators are continuing to investigate and will share relevant information with law enforcement.
According to the University press release, no social security numbers, PennKey passwords, bank account numbers or credit card numbers were released.
Identity Finder — a company that helps consumers prevent identity theft and data leakage — conducted an analysis of the 120,000 leaked records from many universities. It found that 36,623 unique email addresses, one bank account number, thousands of usernames and hashed and plain-text passwords and employee payroll information, among other findings had been released.
Other universities that were targeted by Team GhostShell include Harvard, Princeton, Stanford and Johns Hopkins universities in the U.S., and University of Edinburgh, University of Berlin and Osaka University abroad. The group targeted 100 universities total.
According to the leak, 322 database tables from Penn were compromised, and names and information from five — “aod_user,” “coursereview_tblusers,” “lgbtc_users,” “nec_wp_users” and “OHE_FS_student” — were published.
While the University could not confirm what these data tables may represent, it did verify that VPUL’s server had been compromised.
Some students on the list were surprised and could not recall obvious affiliations with the names of the tables.
Others didn’t find the situation to be particularly alarming.
2010 College graduate Christopher Wogan, whose name and information were published, said he wasn’t too worried. “There’s nothing in that info you couldn’t already find out if you did enough research.”
After he heard the news, 2011 Engineering graduate Kevin Chu changed his password. “I don’t think I have too much stored in my Penn account so I didn’t feel that there was too much at risk,” he said.
Though the information leaked from Penn may not be sensitive in isolation, what the acquired data could be connected to may be of concern, according to Andrea Matwyshyn, a legal studies and business ethics professor and expert in computer security.
“The way identity theft happens is that info obtained in one source is merged with another source — that creates a profile,” she said.
As precautionary measures, she said it wouldn’t hurt to change email addresses and phone numbers.
Aaron Titus, chief privacy office and general counsel of Identity Finder, said even though the information was not sensitive for identity theft, students should be on the lookout for subsequent phishing.
Students may be targeted by a different form of phishing — called spear phishing — where email messages appear to come from a trusted source, according to Titus, a privacy professional and advocate.
It is possible for a spammer to pose as the University and solicit students to enter sensitive information into another site. “This won’t necessarily happen, but it’s the type of thing that could happen, so be wary of any email purporting to come from official sources that asks you to enter sensitive information,” he said.
Aside from subsequent phishing, Penn’s leak is relatively low risk, Titus added.
Penn currently subscribes to Identity Finder, which searches hard drives for sensitive personal information and allows users to delete and destroy it. The service is available to Penn students.
According to the University press release, Penn will share “relevant and actionable information” with authorities, including law enforcement.
Matwyshyn believes given the nature of the information crime industry, it would be difficult to track down the individuals responsible for the breach.
Computer intrusion cases are often prosecuted criminally, she added. The Computer Fraud and Abuse Act — a law passed in 1986 — defines the extent of authorized access an individual has to a protected network.
Matwyshyn said assuming the hackers did not have authorized access to Penn’s servers, the case would be a “very straightforward prosecution.” Sentences usually include money damages and prison sentences that can exceed five years, she added.
However, Titus, who is also an attorney, said with a breach like this, it will be difficult for the victims to prove they were directly harmed by the leak.
“Embarrassment isn’t enough,” he said. “You would have to show for example that you failed to get a job because your sexual orientation was made known and the person hiring make the decision solely on the basis on this particular breach.”
University servers face unique challenges. “They’re designed to accommodate free flow of information, but that leads to a large degree of decentralization. Every professor in every department is his own small kingdom … which means very little centralized control over IT security policies,” Titus said.
Matwyshyn said the types of records that universities possess are very appealing to hackers.
She added that in today’s computer hacking industry, financial incentives come into play. She estimates the economy for information crime is almost equivalent to that of the drug industry, though both are hard to measure. As the information industry grows, threats will only become more aggressive.
Staff writers Caroline Meuser and Angelyn Irvin contributed reporting.