Kristin Collins reports:
Patrons of the state’s community colleges may have had their drivers license and Social Security numbers stolen by a hacker.
College officials announced late today that 51,000 library users at 25 campuses, including Wake Tech and Johnston County, were the victims of a security breach in August.
They said the libraries collect drivers license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh.
The colleges are in the process of notifying all users whose numbers were on the server when it was accessed by a hacker earlier this year.
However, they said their investigation suggests that the hacker did not access the information.
[…]
Other campuses affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills, Southwestern, Tri-County, Vance Granville and Wilson.
Read more on News&Observer.
The North Carolina Community Colleges System web site has a notification of the breach (pdf), but only if you click on the news link from the home page. Somehow, with all the good news that they managed to post to the home page, they did not post the security breach as news where people might see and find it right away. The notice says, in part:
On Sunday, August 23, 2009, a computer hacker accessed the library patron information on the computer server, housed in the community college System Office in Raleigh, via the Internet by decoding a user password. The breach was discovered on Monday, August 24 during a routine security review and was reported to the state’s Information Technology Service (ITS). The System Office’s Information Services division immediately began an investigation to trace the activity of the attacker and the extent of the breach.
Forty-six community colleges that participate in the Community College Libraries in North Carolina consortium (CCLINC) maintain information on more than 270,000 library users on this server. The investigation revealed that 12,400 driver’s license numbers, originally collected by 18 colleges to help identify library users, were stored on the server.
[…]
The ongoing review revealed on October 19, 2009, that Social Security numbers of 38,500 library patrons were also stored on the breached server. Community colleges whose library patron information included Social Security numbers were Bladen, Haywood, Lenoir, Nash, Pamlico, Richmond, Roanoke-Chowan, Sandhills, Southwestern, Tri-County, Vance-Granville and Wilson. The addition of the seven new colleges impacted by the computer intrusion brought the total number to 25. The Information Services division expanded their investigation to include this new data, the additional colleges and the extra steps needed to remove Social Security numbers.
“Finding the Social Security numbers added another layer onto an already complex investigation,” said Dr. Saundra Williams, Senior Vice President of Technology and Workforce Development in the System Office. “We went from 12,400 library users to nearly 51,000 so the scope of our review was greatly increased. We felt it was necessary to be extremely cautious each step of the way to prevent future breaches and to ensure that the information was dealt with appropriately.”
For all their explanation, it still took them over two months to realize that they had SSN on a breached server. In my opinion, that’s not satisfactory. Nor, by today’s standards, is it good to take four months to reveal a breach. I hope that they’re right and that the data weren’t accessed, but if the data had been accessed, the delays experienced in notifying people could make a difference.
Elsewhere, Jon Ostendorff reports that an internal memo obtained by the Citizen-Times said, in part:
“At this time, it appears that the compromise was limited to the operating system and the installation of ‘chat’ software,” according to the memo from system Senior Vice President Saundra Williams. “There is no evidence that any data was accessed. The data is stored in an obscure database which the unauthorized user would have to know the structure of the database to piece the information together to match the person’s name with other personally identifiable information.”