More details have emerged about the Jacksonville State University breach previously noted on this site. Although a suspect has been arrested, the site is still online. Today, the Anniston Star reports that the unnamed teen, who may be tried as an adult, is a student at JSU and is thought to have used a staff member’s credentials to access the personal information of more than 40,000 current and former students.
Vinson Houston, JSU’s head of information technology, said that the suspect accessed one of the many ancillary systems maintained by various units and departments on campus.
“We found out that the guy got access to the information in one of those systems and was able to extract it,” Houston said in his office. “We feel confident that the way he was able to do that was by obtaining the credentials of one of the individuals that had access to that system.”
He said “the judicial process has to figure out” whether those credentials were compromised or willingly provided.
Either way, one question to ask is how/why anyone would be able to extract 40,000 records like that. Were these admin credentials that the student obtained? And why were enrollments from 2007 still in a database with current students and faculty? Should they have been segmented/moved offline if the students and faculty were no longer enrolled or active?
Read more on Anniston Star.