Names and Social Security numbers of approximately 106,000 individuals in the McCombs School of Business databases were exposed in the database breach discovered Friday, UT officials said Monday.
Vice President for Information Technology Dan Updegrove said the number - down from a previous estimate of 197,000 - doesn't mean the risk of identity theft has decreased.
According to preliminary calculations, 100 percent of current faculty and staff, a "high percentage" of current students and about 50 percent of alumni had their information exposed as early as April 11. The number of corporate recruiters and prospective students affected is unknown.
Officials have traced the IP address of the illegal logs to "several" countries in Far East Asia, but Updegrove declined further comment on names or numbers.
"It's very difficult to state with certainty that we are 100 percent locked down," he said of the security in other schools' databases. "My confidence is that we don't have another clone system like the one that was breached at the business school."
Traffic on two phone banks and a security information Web site for victims has been low, he said. The phone lines, which are open today from 8 a.m. to midnight, were getting an average 150 calls an hour as of Monday afternoon, Updegrove said.
He called both the University's preparedness and the grandness of the number affected "appalling."
"No one is home free," he said.
Officials are encouraging any one with a business school affiliation to act immediately by setting up a fraud alert with one of three agencies listed on the school's informational Web site instead of waiting for an all-clear.
Updegrove said the U.S. Secret Service, the Austin Police Department and the Texas attorney general's office would all be involved in the investigation.
However, a Secret Service spokesman said "We are not currently involved in the investigation" mid-Monday afternoon.
The attorney general's office declined to comment through a spokesman.
As the unauthorized access was linked to a foreign country, the police department's role is uncharted.
Officials hoped the University's stay in the hot seat of computer hacking would be short-lived, but analysis from a computer security expert suggests sensitive personal information should have been purged more hastily from the business school's database.
Troy Sorzano, director of professional services for computer network and security agency Netforcement, said the University probably didn't heed the lessons of a similar attack in 2003 by encrypting Social Security numbers and improving its database alarm system.
Netforcement is hired by clients to perform risk assessment and offer theft prevention tactics.
Three years ago, administrators faced the curiosity of former UT student Christopher Philips. At the time, Phillips was living in Houston, and he accessed only 45,000 files. A judge later found no evidence to suggest Philips had any intention of selling or profiting from the Social Security numbers and birthdays he had stolen.
Even with a reduced number of affected individuals as of Monday, administrators are still dealing with more than twice the 2003 figures. The access has been tied to another continent and officials including Updegrove have every reason to believe the stolen information could be sold on the black market.
"If we had encrypted the Social Security numbers, I wouldn't be as worried as I am now," he said at Monday's press conference.
Sorzano said updated systems with alarms can pinpoint exactly which Social Security numbers were accessed. As for compromising the system, he said, all you need is the creativity of a computer genius.
"It doesn't matter whether you're in the U.S., Asia or the parking lot," he said.
Although Sorzano links slow detection of the breach to a number of factors, he said an inadequate "burglar alarm" may be the most damaging. Computer criminals usually "case the joint" before committing the grand theft, and therefore the perpetrator could have gained illegal access months before the April 11 estimate, he said.
"What's funny is the breach wasn't detected because of Social Security numbers being accessed, it was a bandwidth issue," he said. "The computer probably had a bandwidth overload, which led officials to think something was up."
Be the first to comment on this article!