Story

Data on 684,000 Stolen at University of Nebraska

The University of Nebraska "did not divulge what the vulnerability -- that they say is now closed -- was that enabled the breach," said security researcher Neil Roiter. "However, the message is clear: Universities, as institutions that typically need to be open to advanced learning, have to balance security with that openness."

Another week, another security breach. This time it happened at University of Nebraska -- and it's being called the biggest university breach this year.

The University of Nebraska database breach exposed sensitive information of more than 654,000 students, parents and employees. The database in question, the Nebraska Student Information System, contains the Social Security numbers and dates of birth for all employees.

On Thursday, University of Nebraska officials announced that an individual had been identified who they believe was responsible for the breach. Meanwhile, security analysts are wading through the fallout of yet another high-profile hack.

"We have seized computers and related equipment belonging to a UNL undergraduate student who we believe is involved in this incident," said University of Nebraska-Lincoln Police Chief Owen Yardley. "They are currently in the hands of law enforcement and undergoing analysis."

Forensics Testing Under Way

According to Yardley, the individual was identified by NU Computing Services personnel through IP addresses used to access the system. The suspect's name will not be released until an arrest is made. A forensics team is analyzing the evidence.

"In order to assist with the criminal investigation, police asked the university not to release information about this security incident during the first 48 hours as work was done to verify the identity of the individual involved and necessary legal steps were taken to seize the property," Yardley said.

University officials recommended concerned parties contact a credit reporting agency to determine whether hackers have tried to establish or extend credit in their name. Although bank account information for most employees was not stored in the database, the university suggests monitoring bank accounts carefully.

Joshua Mauk, University of Nebraska information security officer, said the university and law enforcement officers were continuing to analyze how the breach occurred, and whether any information was downloaded.

Balancing Security with Openness

We caught up with Neil Roiter, director of research at Corero, to discuss the latest high-profile security breach. He told us it's fortunate that the breach was discovered and authorities had identified a suspect.

"Described by the university as a 'skilled attack,' we do not know what was done with the exposed Social Security numbers, names, addresses, course grades, financial aid and other information on students who attended the university since 1985," Roiter said.

"The university did not divulge what the vulnerability -- that they say is now closed -- was that enabled the breach. However, the message is clear: Universities, as institutions that typically need to be open to advanced learning, have to balance security with that openness to ensure sensitive data is protected.

"The fact, according to the university, that its data was not encrypted and that the nature of the attack would have bypassed it in any event, raises questions about its overall security posture."