Bursar's office hacked

A security breach at the bursar's office allowed a hacker to download the personal information of 3,100 students earlier this month, University spokeswoman Susan Dillman said.\nStudents' names and Social Security numbers could have been downloaded from a departmental computer as early as Jan. 25, Dillman said.\nShe said it appeared that the hacker was not operating from within the United States.\nAffected students said they received a letter about the breach Saturday. According to the letter from Bursar Susan Cote, the students' "information was transferred to various Internet sites."\nAcquiring a person's name and Social Security number would enable someone to open credit cards, falsify criminal records, empty bank accounts and engage in other fraudulent activities, unbeknownst to the individual whose identity is being stolen, said Kurt Richter, a graduate student who was affected by the breach.\n"It's enough to screw you good," he said.\nDillman said the breach occurred when the employee responsible for that server was out sick. Another employee tried to fix it, but skipped a step bringing the computer back up, leaving the server unprotected, she said.\nSomeone found the IU server and began to use it to store audio and music video files, she said. Then it appeared someone looked around in the server and downloaded from it at least once, she said.\nFeb. 6, the Bursar was notified by University Information Technology Services because of excessive, non-bursar traffic on the server, Dillman said. UITS investigated from Feb. 7 to 16 and discovered the breach.\nDillman said 500 sponsored students were exposed from Jan. 25 to Feb. 6, while 2,600 graduate students were exposed from Feb. 5 to 6.\nStudents said they are concerned not only about illegal access to their information, but also about the lack of information and help they've been offered by the University.\n"You can attribute this to human error and institutional coverup," Richter said.\nFiliz Cicek, a graduate student, said she questions the timing -- the letter came several days after the breach was discovered and on a weekend, when she could do little about it, Cicek said.\nDillman said the Bursar's office had to identify who the affected students were, and that's why notification took longer.\nGraduate student Garvey Pyke said he was angrier about how the University handled the breach than the breach itself.\n"The violation of trust was not the 'hole' but the way they have handled it," Pyke said.\nThe Feb. 22 letter gave students information about what kind of fraud to look for, gave Web sites with information about Social Security number fraud and instructed them to contact the bursar's office if they suspect fraud.\nThe computer breach could mean long term damage, graduate student Chad Tew, also a victim, said. He said the solution to keeping it from happening again is to eliminate the use of Social Security numbers as ID numbers.\n"For the long term solution to this, IU really needs to rethink its policy about having Social Security numbers serve as the personal identification number," Tew said. "Every student here at IU should feel like a potential victim."\nMichael Thomas, a graduate student and associate instructor, called Social Security numbers as ID numbers "very dangerous." The numbers are on his class lists -- and on hundreds of others all over campus, he said.\n"You can do a lot with those numbers," he said.\nPyke said Social Security numbers as IDs is only one of several technologically unsound campus practices.\n"We like to say we're the most wired, but we won't say if we're the most hacked," Pyke said.\nDillman said the University is taking steps to prevent another security breach in the future.\nAccording to the Feb. 22 letter, University computer security experts made recommendations to increase security that have already been implemented.