University Of Florida Records Hacked
University officials detected the breach Oct. 3 while college IT staff were conducting an upgrade to the server and found that unauthorized software had been installed remotely.
Altogether, the hacked information included patient names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information dating back as far as 1990.
Members of the FBI are working with the University police department and the College of Dentistry to investigate the security breach. Meanwhile, UF officials are also in the process of screening up to 60,000 additional computers on campus to install appropriate security solutions and protect student information stored on them.
Following the breach, university administrators sent letters alerting affected individuals that their records might have been compromised. So far there is no evidence that the hackers have used the confidential information for fraudulent purposes, UF officials say. As a precautionary measure, the letters include a brochure listing preventative steps victims can take to obtain copies of their credit reports as well as tips to avoid identity theft or the fraudulent uses of their personally identifying information.
"It's unfortunate that, like many large institutions, we were targeted. We work hard to continually fine-tune our security protections, and maintaining our patients' trust and confidence is of utmost importance," said Teresa Dolan, dean of the UF College of Dentistry, in a written statement. "We cannot stress enough how seriously we take this matter."
In recent years, the university has beefed up its security infrastructure with firewalls, intrusion detection systems and by encrypting data flows containing sensitive information, and has increased its vigilance of threat identification and security servers.
"Despite these efforts, this illegal user was able to gain access to the server," Dolan said.
But some say that the university's efforts might not have been enough. And security experts say that they expect to see more large universities experience these types of attacks over the next year. Universities make attractive targets for hackers, experts say, because they have copious amounts of personal student information. Unlike financial and health-care institutions, they often lack the necessary infrastructure to protect the information.
"They aren't used to securing their data in a way that a bank or health-care institution is used to," said Michael Argast, security analyst for Sophos Labs. "They don't have a lot of policies around data security in hand, and as a result, they're more susceptible to this type of attack."
That will likely change, though, as university personnel start to realize the severity of the threat and make the necessary paradigm shift to address it, Argast said.
"Serious security is not a core part of their genome. It's something they're still learning," Argast said. "Those practices just aren't habits. But we're seeing a huge uptick in interest. This is a very real, present threat, and it threatens their user community."