The Northern Light

Issue date: 7/25/06 Section: News

As early as October 2005, UA technology staff detected hacker activity on the same Bethel server that is now at the center of a police investigation over possible identity theft, documents show.

"Note this machine was compromised last October and records are still on the machine," said Jerry Domnick, the area network manager in Bethel, in a March 30 e-mail to Fairbanks technology personnel.

The server, based at the Kuskokwim Campus in Bethel, held two files containing the names, partial e-mail addresses and Social Security numbers of 38,941 students, staff and faculty.

UAF previously said the machine was compromised as far back as February 2005, but it had not indicated that personnel knew before March about any hacks.

Steve Smith, the chief information technology officer at UA, said his office was not alerted to the October incident until after being told about the most recent hacks.

A Bethel technician, who quit before the current incident, failed to follow university procedures and report the hacking, Smith said. Domnick's e-mail was the first documented reference to it, he said.

Domnick and the technician were the only university personnel who knew about the October hacking, but knowing about it would have made little difference, Smith said.

"The machine would have still been compromised," Smith said. "We would have still sent out messages. It just would have been in October instead of March."

The university provided the Sun Star a copy of the e-mail and a help-desk file related to the most recent hacking in response to a Public Records Act request.

Domnick discovered the latest hacking when he logged into the server via remote desktop March 29, the e-mail says. The computer alerted him that the hard drive had only 135 megabytes of free space left.

"This is a 6GB drop since last November," Domnick wrote.

The drop in memory later turned out to be unrelated to the hack. But Domnick told the help desk he had "found some other disturbing items."

Among the items he found was a directory containing a sensitive utility with "hashed passwords for many of our users there," he said in the e-mail. The directory's dates indicated it might be related to the October hack, he said.

Additionally, he found a sensitive file in the computer's recycle bin. He also found two files containing "some passwords used on our system, including a higher-level password," the e-mail states. The files dated to the end of December, "well after the (October) compromise was discovered and closed," he said.

Domnick also found an administrative account that he did not create and disabled it.

"I'd like someone to take a look at this please," he wrote.

Reached by phone at the Kuskokwim Campus, Domnick declined to comment.

UAF Chief of Police Sean McGee said police were not told until recently about the October hacking. It is part of the current investigation, however.

"We're going to look and see anytime someone got into the machine," he said.

UAF police have had several phone calls about possible ID theft related to the server hacking since UAF made the incident public two weeks ago, McGee said. Police continue to follow up each call, he said.

Help desk records show the university's lawyers were alerted to the incident April 4. Records indicate that by April 7, general counsel was giving the university computer personnel direction.

Asked at a press conference if UAF was responsible for damages related to ID theft, Jake Poole, vice chancellor for university advancement and community engagement, said he didn't know.

"If we're contacted by an individual who is concerned about that, what we would do is link them up with our general counsel office to discuss what the possibilities are," he said.

However, in a 2003 legal memo, Meg Greene, associate general counsel for UA, warned that the university faces "potential liability from inadvertent or negligent disclosure" of Social Security numbers.

"It may be difficult in most cases for us to distinguish from which files the leak came," Greene wrote. "Accordingly, we could be blamed for violating any of the statutes requiring special treatment of personally identifiable information."

Kate Ripley, a university spokesperson, said the university isn't necessarily legally responsible.

"Just because a server was hacked into with Social Security numbers doesn't make us liable," she said.

Greene addressed the Oct. 23, 2003, memo to Saichi Oba, statewide assistant vice president for Student and Enrollment Services. At the time, Oba was heading an effort to implement student and employee ID numbers in place of Social Security numbers.

Systems that still use Social Security numbers include Polar Express, Aurora e-mail, Blackboard, Parking Services, UA's online directory EDir, a recruitment database called EmasPro and the National Direct Student Loan Clearing House, Oba said.

The team will reconvene in May, almost two years since the conversion process began, Oba said.

"Our goal is to minimize the use of the SSN," he said.

When the university began switching ID systems, planners decided to leave an 18-to-24 month window that would allow Social Security numbers to remain useable for several university systems, Oba said.

"Maybe in hindsight we should have compressed that time a little," he said.

Page 1 of 1

Article Tools