Breach may have exposed donor information
Maddie Hanna | Monday, January 23, 2006
The personal and financial information of some University donors may be at risk after an unknown intruder hacked into a Development Office server Jan. 13 – the first computer security breach of its magnitude at Notre Dame, University officials said Sunday.
The data in question – possibly including Social Security numbers, credit card information and check images from donations made between Nov. 22, 2005 and Jan. 12 – pertains to a “minority” of alumni donors and friends of the University, said Hilary Crnkovich, vice president of Public Affairs and Communication. She declined to provide a specific estimate of the number of donors affected.
“We’re not comfortable quantifying it,” Crnkovich said Sunday. “We have no facts or quantification that people were compromised.”
The intrusion was not initiated from an on-campus location, Crnkovich said, but its source is still a mystery.
“We just really don’t know,” she said.
Gordon Wishon, chief information officer for the Office of Information Technologies, said the University is working with two independent forensics firms to determine the source of the intrusion and expects to receive results in several days.
The analysis will “examine the contents of the server, look at the logs and a variety of data to help describe the nature of the intrusion and the intent of the intruder,” Wishon said Sunday.
However, the investigation may be unable to pinpoint the intruder’s exact location, especially if the site was overseas or several relay sites were involved, Wishon said. And it’s also unclear whether or not the University will know what information, if any, was viewed.
“It may be that we’ll never find out exactly what was exposed or taken,” Wishon said.
Both Crnkovich and Wishon said it was possible the purpose of the intrusion was for file-sharing purposes, designed to obtain server space rather than personal information.
“Most commonly with incidents of this type, that’s what happens,” Wishon said. “It’s very common … [but] I certainly don’t know if that’s the case.”
The server, which is not part of the University’s central data system, was used for inter-office file sharing in the Development Office, Wishon said.
While the server is maintained primarily by Development Office staff, Wishon said OIT’s Information Security Department collaborated with the Development Office to provide security standards for the server.
OIT was involved in the detection of the intrusion, when staff noticed “anomalous behavior” on the server and notified the Development Office, Wishon said. The server was immediately taken off-line after a breach Wishon estimated to be “fairly short in duration.”
Donors whose information was potentially viewed received an e-mail Saturday from Vice President of University Relations Louis Nanni and were also sent letters in the mail advising them to take appropriate safeguards listed on a newly-created University support Web site and to call a toll-free Notre Dame phone number for more information.
Since little is known at this point, donors should not necessarily expect the worst, Crnkovich said.
“What we’re doing is providing recommendations and outreach to the potential group and asking them to take their own precautions,” Crnkovich said. “We really feel it’s prudent to give people all the resources we can. We take it seriously.”
Crnkovich said the Development Office had not received phone calls from concerned donors as of Saturday night. The Office has received e-mails, but they have all been positive, she said.
“People have been very thoughtful and said thank you for letting them know to take the steps,” she said.
But other donors say they are far from thankful. Mike Coffey, a 1991 alumnus who runs the NDNation Web site and message boards that received a flurry of posts over the weekend from concerned donors, said he was “extremely disappointed” after receiving e-mails informing him of the security breach.
“It seems to be a very shoddy set-up for protection of personal information I’ve provided to the school,” Coffey said. “What is a server with this sensitive information on it doing on the Web? I can’t perceive anyone outside of Notre Dame needing that information.”
Coffey, who received his degree in Management Information Systems and has been an IT professional for 15 years, said he “thought [he] learned” the proper way to maintain a server at Notre Dame.
“Apparently [University staff members] don’t practice what they preach,” he said.
Despite his disappointment, Coffey said he would not change his donating practices and hopes the incident causes the University to improve the way it stores and accesses information.
“I donate to Notre Dame because I believe in what Notre Dame does,” he said.
Crnkovich said similar security breaches have occurred at other universities, including Stanford and the University of Connecticut. However, she said she did not know how the incidents were handled by those schools.