During the last five years, four separate security breaches have surfaced on campus, prompting many students to examine how well the University protects their personal information.\n• In March 1997, 256 faculty members had their Social Security numbers accessed, according to University officials.\n• Last February, more than 3,000 student Social Security numbers were accessed by an outside individual when a security "hole" was left open in an Office of the Bursar database, University officials said. \n• In June, a computer security breach in the School of Music gave hackers the opportunity to access more than 1,700 individuals' Social Security numbers, including nearly 150 IU students. \nUniversity officials said the discovery of hacking tools and Internet Relay Chat programs installed on the Web servers by the hackers lead him to believe they hoped to use the servers as a "safe haven" to store their software.\n• This summer, boxes containing pages of personal student information -- including full names, addresses, Social Security numbers and employment information -- were left unattended in Maxwell Hall as the University Division moved its facilities to Ashton Center, the school's dean said.\nIn light of the Bursar security breach, IU's board of trustees passed a resolution during a meeting in May to increase the security of IU's computing system.\nUniversity Information Technology Services is currently working on implementing a tougher security policy to prevent further hacks into IU servers.\n"We know that some vulnerability may exist (across the campus)," Bursar Susan Cote told the IDS this summer. "The more guidelines for training, resources and scans, the more secure the department as a whole will be."\nBut the sentiment resulting from the breaches has left many wondering whether the University is protecting IU students from identity theft.\nExpediency in informing students has emerged as a chief point of contention from those affected. \nThe Bursar's office learned of the breach February 6. But database administrators did not notify campus administrators until February 20, and letters to students affected weren't drafted and sent until February 22 -- 16 days after the original security breach.\nSoon after the incident, University officials told the IDS that the Bursar's office had to identify who the effected students were, and that's why notification took longer.\nThe theft of Social Security information poses certain legal concerns, including credit card fraud and personal identity theft for driver's licenses, birth certificates and other personal records.\nBut Professor of Law Fred H. Cate called the risk "exceedingly small." Credit card fraud incidents are among the least common of all frauds in the U.S., Cate said.\nIn a mid-February report to Congress, Cate said victims of credit card fraud are well-protected under federal and state law. The Social Security Administration has created significant deterrents to setting up a false identity or securing credit with stolen numbers, he said.
Students scared, angry\nKurt Richter, a graduate student who was affected by the February breach, said he feels the University lagged considerably in informing students.\n"We were notified far too late with far too little information given about how to protect ourselves as well as reasons for the incursion," Richter said. \nGraduate student Michael Colaresi was notified by letter as well -- hardly the way he said he thinks it should have happened.\n"I do not feel the University notified me in a timely nor in an appropriate manner," Colaresi said. "They could have sent e-mails and made phone calls much sooner." \nGraduate student Lori Poloni-Staudinger was also affected by the breach and said she felt the letter notifying students of the incursion was vague and offered little advice to students on how to further protect themselves. \n"I think that the University should have included information about what exactly was given out during the breach," Poloni-Staudinger said. "The exact dates that we were vulnerable would also have been helpful … I don't think that the University ever correctly supplied an answer as to why the date information was vulnerable was not included in the letter."\nThe University later offered to reimburse students for credit reports resulting from the breach.
Conference voices concern \nRichter, who helped organize a conference through the Graduate Student Organization for concerned students and administrative representatives, said he feels the administration -- not just UITS -- should be responsible for the security of student Social Security numbers. \n"My position is that the University should have notified students by whatever means as soon as something was suspected," Richter said. "The University sees this matter as a security issue for their own equipment. I don't believe that they would have ever considered the student side of the issue if we hadn't brought the issues to them in a public and assertive manner."
Previous efforts to strengthen security\nIU has attempted to strengthen security since the late 1990s. \nIn 1997, the Department of Information Technology said it would be tightening security through the use of "non-crackable" passwords for all campus computer accounts. \nThis increasing focus on enhanced e-mail security resulted from a March 1997 incident where 256 faculty Social Security numbers were accessed. \nLater that month, an unidentified intruder hacked into the IU-Purdue University at Indianapolis system and obtained access to passwords for individual accounts, resulting in discrepancies to almost 800 IUPUI students, faculty and staff.\nIn response to these breaches, IU created the University Computer Security Office, headed by Jacob Levanon, UCS's director. \nIn April 1997, the office began utilizing a program designed to emulate the process hackers use to determine passwords. Individuals with accounts easy accessible were notified and the passwords changed. \nTo guard against further intrusions, technology advisers recommend using a different password for every IU account.\nGSO supporters have cited other Big Ten institutions as positive examples of effective administrative communication with students.\nPurdue University, for example, has developed a team of faculty and staff charged with maintaining an archive of security-related tools and documents. The archive is accessible to all Purdue users through an anonymous server.\nThe Purdue Computer Emergency Response Team serves on a consulting basis, allowing students and faculty alike to pose questions publicly on security issues. \nIt also has developed a standardized set of responses for security issues, involving the entire hierarchy of technology departments at Purdue.
IU's security response\nThe University has attempted to respond to security breaches by instituting a new student identifier system, the PeopleSoft Student Information System. Endorsed by the IU board of trustees and the Bloomington Faculty Council in 1998, the five-year implementation process cost $2.3 million and was subsidized by state grants. \nIU Communications Specialist Greg Moore said the first stage of installation involved admissions and recruitment information. Moore said he expects the system to be complete this fall. Financial aid and student records are expected to be implemented in 2003-04. \nUpon completion, the new system will only store Social Security numbers when dealing with financial aid or employment issues. Only staff in those departments will have authorized access to those numbers, Moore said. \nBut Moore stressed the breaches last year did not involved UITS machines. All computer information systems under the auspices of UITS operate under a central mainframe, and records within that mainframe were not compromised, Moore said. \nThe new PeopleSoft system should bypass problems other universities have encountered in transferring to the new system. IU will use MiddleWare, which Moore termed "a lot of backend software," a difference that will facilitate the transition with greater ease.\n"This will eliminate the need for paper records," Moore said. "Whereas paper records are tangible and able to be physically taken, we'll have an automated solution."\nRichter advocated the use of such systems and said while it would provoke minor problems in accessing individual information, "the argument of relative inconvenience is easily offset by the increased security for students and faculty."\nWhile he has not suffered financial repercussions as a result of the breach, RIchter said he has endured "major inconveniences" in reporting the release of his personal information to every financial institution he deals with.\nDecreased faith in University systems to maintain and preserve student records has ultimately emerged as a result of the breaches, Colaresi said.\n"I will no longer be donating what little money I may make to the University upon graduation," Colaresi said. "I feel that a number of the University's policies ... do not take the needs of the students into account. The belated response to the Social Security theft seems to fit this pattern."\nSophomore Aaron Huffaker was not affected by the breach directly but attended the GSO forum. He said he still does not feel his records are completely safe.\n"It does not matter how many protection devices one has or how technological advanced they are -- I still do not feel completely safe that my information is secure and I probably never will," Huffaker said. "It is simply a cost of using technology in changing times."\nUITS officials denied an IDS request to publish a complete list of names of students affected by previous breaches.
What's being done\nIU Technology Policy Officer Mark Bruhn told the IDS this summer that thousands of vulnerability scans of student records have been done the last three years in 82 departments.\n"Almost every computer system has the potential of being a security problem," Bruhn told the IDS in May. "The issue is that there are approximately 55,000 networked systems. We need to get information to all people associated with those systems at some level. We must educate everyone at some level, and technicians at a higher level."\nIU Spokeswoman Susan Dillman said the School of Music also set up a telephone line intended for student complaints and concerns. Fewer than a dozen students actually utilized that line.\n"The University is always concerned with the safety of student records and is working actively to move to a system which does not rely on social security numbers for identification," Dillman said.\nThe School of Music and Office of the Bursar are continuing periodic checks into the status of exposed information, officials from both offices said. The School of Music plans to continue monitoring for the next four to six months.
