It appears we should add the University of Chicago to schools hacked by Carbonic. And yes, chalk it up to another SQLi vulnerability.
In a statement to DataBreaches.net, @MarxistAttorney reported that they got payroll information, employee IDs and a “substantial amount of information they didn’t publicize.” A copy of the url vulnerable to SQLi exploit was included in their statement.
A test of that url yesterday indicated that the vulnerability had been addressed.
DataBreaches.net e-mailed U. Chicago on Thursday to inform them of the claimed hack and to point them to the partial data dumps that have been mirrored on Carbonic’s site and Pastebin. Those data dumps appear to include names, email addresses, and salary status for non-clinical staff of the U. of Chicago’s Biological Sciences Dept. According to @MarxistAttorney, that’s only a portion of what they downloaded.
U. Chicago was asked to acknowledge this site’s notification and to confirm or deny the claimed hack by yesterday morning.
They did neither.
@MarxistAttorney did not respond to an inquiry from this site asking whether they had accessed or acquired actual salary details of any employees or any clinical information on patients seen by staff at the Biological Sciences department.
Update: Following publication of this post, @MarxistAttorney provided responses to the questions that had been posed. In response to a question as to whether they had accessed databases that held patient information, he replied:
There was a ton of patient information stored within the MSSQL Server itself. However, like I mentioned before, I didn’t extract it nor dump it to respect the personal information of innocent people (we got morals to (sic) you know).
In response to a question as to whether they had accessed any databases that held actual salary information, he replied:
… there were databases within the MSSQL Server that had actual salary information. But I only grabbed a few lines of a department, the medicine one, that didn’t say how much each employee earned but rather then if they had an active salary or not. I mean to you I may still seem like that guy that would’ve dropped it for the lulz, but I realized that dropping innocent people’s personal information to prove a point isn’t right
CORRECTION: This post was corrected to changing collective’s name to “Carbonic.” An earlier version had misidentified them as #TeamCarbonic.
By the way we go by “Carbonic”, our twitter handle is @teamcarbonic just to imply that we are a team.
Sorry about that. Corrected the post.
Proof: https://twitter.com/teamcarbonic/status/554827475612868609