The hacking of information on more than 650,000 University of Nebraska (UN) students, alumni, parents, and employees—which ranks among higher education’s largest data breaches—had the markings of an amateur job.
The university announced last week that the school’s student information system was hacked, possibly revealing the Social Security numbers, financial aid data, birth dates, course grades, and home addresses of University of Nebraska-Lincoln, the University of Nebraska at Omaha, the University of Nebraska Kearney, the University of Nebraska Medical Center and the Nebraska College of Technical Agriculture stakeholders dating back to 1985.
UN officials said the centralized information system was exposed for hours before an IT staffer discovered the breach. Since then, UN police have seized computers and electronic equipment from an undergraduate student who might be connected to the data breach.
As of press time, no charges have been filed against the student, who was tracked down through his or her IP address.
Read more about data breaches in higher education…
Analysts are combing the computer equipment for forensic evidence, according to a website launched by the university in response to the security breach and the subsequent public outcry.
This breach, however, likely wasn’t the work of seasoned hackers sneaking their way into a well-guarded university database, IT security experts said, raising concern about the university’s safeguards against even the most basic attacks.
Josh Shaul, chief technology officer at New York-based database security company Application Security Inc., said the campus police revelation that the undergraduate student didn’t successfully hide his or her computer’s IP address shows that the attack was less than sophisticated.
“That’s the ultimate rookie mistake,” Shaul said. “I figure someone [who] can’t hide his IP address probably can’t hack his way out of a paper bag. Was the database that got popped ever even secured beyond the default settings?”
UN, in its detailed announcement of the security breach and its aftermath, described the incident as a “skilled attack.”
Even the most cautious campuses using up-to-date database security programs are vulnerable to attacks from complex networks of botnets or experienced hackers, Shaul said. When an inexperienced cyber attacker hacks a student information system, students, faculty, parents, and alums should be concerned.