You are viewing this article in the AnnArbor.com archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see MLive.com/ann-arbor
Posted on Mon, Oct 17, 2011 : 5:58 a.m.

College campuses often targets of Internet hackers, officials say

By Kellie Woodhouse

Military Cyberdefense_Wood.jpg

AP photo

In August, the sensitive information of thousands of patients at Stanford University Hospital in California was illegally posted on the Internet, putting more than 20,000 people at risk of identity theft and misuse.

More than a month after the breach, officials at the Ivy hospital still are trying to figure out just how Stanford’s IT system—which has been praised for security at the highest level— failed.

At University of Michigan and Eastern Michigan University —the gatekeepers of sensitive information for tens of thousands students, patients, faculty and staff— the fear of a large-scale security breach is ever present.

“This is what every major institution doesn’t want reported about them,” U-M IT Communications Director Alan Levy said of the Stanford breach.

Both universities have dozens of people on staff and several protections in place to limit hacking, but despite their efforts, slip-ups are made and, from time to time, breaches still happen.

“Big institutions run very large data systems with very sensitive data. You don’t want people hacking into your system,” Levy said “It’s a nightmare. It’s very, very costly both reputation-wise as well as in terms of dollar value.”

Last academic year, EMU was twice hit by hackers. In March, two student employees obtained student information, including Social Security numbers and dates of birth, and possibly provided it to outsiders.

Unlike most information security breaches, the incident was “old-school theft,” according to Carl Powell, EMU’s chief information officer.

“It was just old-school grab papers and write things down,” Powell said.

In September 2010, a computer server was hacked, possibly exposing the online banking log-ins and personal identification numbers for some employees.

files2.jpg

More and more universities are digitizing their records and getting rid of vast amounts of paper documents.

The server did not store student information, Powell said.

U-M also has been victim to breaches, experiencing three personal information thefts in the past five years. Two were the traditional grab-and-run incidents, and one was an electronic hacking.

In June 2006, documents that were supposed to have been stored digitally and then shredded were stolen from a storage room. The papers contained the personal information of credit union members and were used to perpetrate identity theft.

In July 2007, university databases were hacked and names, addresses, Social Security numbers and birthdates of students were exposed. Less than three months later, tapes containing names, addresses and Social Security numbers were stolen from U-M’s school of nursing.

“There are certainly attempts to hack into the university system,” Levy explained. “But there’s a pretty significant amount of energy put forward to try to stay one step ahead of the bad guys.”

Both EMU and U-M have teams that monitor false and unsuccessful log in attempts. Additionally, both schools heavily restrict access to sensitive files.

“We have people who find holes in your system so you can plug them up,” Levy said. “Serious incidents are relatively infrequent.”

For students living on campus, the university offers free computer anti-virus programs. Those programs are preventative on two prongs, Levy says.

“We don’t want your computer to be infected, and we don’t want your computer to then infect a large system,” Levy said. “We are both looking out for the interest of the individual and the university.”

Large-scale breaches aren’t the only concern of university officials.

According to Powell and Levy, students often fall victim to Internet scam artists. One common scam is called phishing, which is what happens when students receive an email asking for personal information from someone posing as an institution or business.

“They send a message that looks like it came from your bank or a credit union or from an IT department,” Levy said. “They tell you to do something that you should never do.”

Such emails often send you to a website that requests a password or personal information update. When the sensitive information is entered, it is taken by the hacker and is usually used in a damaging way.

Powell remembers when a colleague from another university fell prey to a scam artist posing as her bank.

“They basically said 'We found a fraud on your account, please click here to log onto your account and verify you banking identity,'” Powell recalled. The co-worker fell into the trap, entered her personal information and lost thousands of dollars, Powell said.

“Effectively what she just did is surrender all her banking credentials to someone,” Powell said. “Once you give people your bank account information, there’s no protection. If someone wipes out your bank account, its like taking cash out of your wallet.”

Levy says that while U-M has a sophisticated spam filter for the university email system, unwanted scams slip through the filter from time to time. He said he gets about three reports of phishing attempts a day. Each year, at least a handful of students fall prey to the scam, he said.

“We used to get this all the time, and now it's much less common because of the filter, but the filter doesn’t catch everything,” Levy said.

Powell said that EMU is seeing a specialized kind of email scam, which he calls spear-phishing. Some scammers have moved from using generic bank identities to posing as EMU staff. In those e-mails, the scam artists poses as an university administrator and asks for sensitive information.

“They tend to laser in a little bit more on their audience, which tends to get better responses,” Powell said.

But hackers aren’t always unknown individuals operating from faraway places.

Levy says that in addition to phishing, he’s seen students’ personal accounts hacked by former friends or significant others who were once entrusted with sensitive passwords.

“We’ve had some examples where an ex-boyfriend still had access to his ex-girlfriend’s email and used that access in very inappropriate ways that were harassing and threatening,” Levy said.

“There have been several examples of this over the years,” Levy continued, adding that some cases have led to criminal charges.

Kellie Woodhouse covers higher education for AnnArbor.com. Reach her at kelliewoodhouse@annarbor.com or 734-623-4602 and follow her on twitter.

Comments

Sallyxyz

Mon, Oct 17, 2011 : 2 p.m.

There are certainly valid concerns about hacking into large UM databases. However, there are other concerns about breaches of confidentiality of health records in particular at UM. Keep in mind that all secretaries and hundreds of other lower level employees have access to patient data. Yes, all those assistants working for doctors at UMHS have access to all patient data. Theoretically, they are only supposed to access patient records for the doctors they specifically work for, but they can also access patient records they have no business seeing, such as co-workers, former co-workers, professors, girlfriends, boyfriends, relatives, doctors, etc. Unless a patient orders an "audit trail" of their health record, there is no way to know who has accessed your health information, and few people even know of this option. Keep in mind that all patient data is accessible to those assistants, and there are hundreds and hundreds of them, and not all employees are ethical, needless to say. Sure, they all sign statements of confidentiality, but those are essentially an honor system. The chances of being caught are low, unless the patient orders an "audit trail" of their records to see who has accessed them, which few people do. I've also seen computers in doctor's waiting rooms at UM with a patient's record on the screen, and the doctor did not log out before leaving the room. There are many opportunities for breaches of health information beyond hacking into large databases.

mhirzel

Mon, Oct 17, 2011 : 1:08 p.m.

Yeah......... Aren't we all looking forward to Obamacare's mandate that everyone in the nation have an Electronic Health Record? Everything about you/your identification of all sorts, including social security numbers, bank account numbers (Yes, O.C. intends to link your bank account numbers to your health information, so facilities can determine "on the spot" whether you can pay), as well as every detail of your health history, will be a hacker's dream come true.

alan

Mon, Oct 17, 2011 : 7:47 p.m.

Have you been listening to Glenn Beck? And they're going to implant chips in your children when you take them to be vaccinated. There is a provision to encourage point of service verification of financial responsibility which is already done in most modern facilities. They electronically verify your insurance coverage, copay, etc. It has nothing to do with personal financial records. AA.com used to at least check facts when people posted nonsense.

Sallyxyz

Mon, Oct 17, 2011 : 2:10 p.m.

Where does this "central" database reside? Very scary prospect indeed. I've never given bank account numbers to a hospital or doctor, so how would that information be linked?

Sallyxyz

Mon, Oct 17, 2011 : 2:03 p.m.

This is really unbelievable, and bank account information should never be tied to a health record. I can also foresee employers eventually obtaining illicitly and paying for this information to "evaluate" the health status of potential employees. Wouldn't corporations love to hire only healthy people?

xmo

Mon, Oct 17, 2011 : 12:57 p.m.

What is the problem with your social security number? It says right on the card that it is not to be used for identification. I guess we are not following the government's rule?

Sallyxyz

Mon, Oct 17, 2011 : 2:06 p.m.

Unfortunately, SS numbers have been misused for decades, and have become the central number for identifying individuals, whether intended or not. Hackers love them and make bundles of cash selling them. How do you think most illegals obtain SS numbers? They buy them from criminal rings who have stolen them from databases they hacked into.

marzan

Mon, Oct 17, 2011 : 12:36 p.m.

One of the biggest targets is account information to send spam out of the University servers, which normally have a high reputation. Never give out your email password.

alan

Mon, Oct 17, 2011 : 12:09 p.m.

When did Stanford become an "Ivy"?

justwondering

Mon, Oct 17, 2011 : 12:24 p.m.

I saw that, too. Last I heard it was still on the West Coast!

trespass

Mon, Oct 17, 2011 : 11:21 a.m.

Someone may be reading your email but it won't be a hacker. It may be a UM official because they own the email server so they can read your email at will, without a warrant. Just look at the UM privacy policy and you will see that they can read your email for any "legitimate business purpose".

sellers

Mon, Oct 17, 2011 : 12:19 p.m.

This is true anywhere. Anyone who is a systems administrator is able to read such items (unless encrypted by the end user). It's similar to a doctor who has access to your patient records; this information is only to be viewed (notice I didn't said read) if it is needed to protect the integrity of the entire system or if the end user is in need of assistance. With that said, there are some malicious folks out there that may work in computer departments across the world, however that is not a new problem. Even areas that do background screenings don't eliminate that risk. I can tell you - most systems administrators are very sensitive to people's data, because they too have data on similar systems and know the value of personal data. Many are educated on privacy issues, ethical issues, FoIA, FERPA, PHI, PCI, etc. -like guidelines and regulations. Just as a side note, you should know that e-mail (a.k.a SMTP) is clear text across the internet, and it's trivial to read e-mail as it goes from point to point. E-mail should never be sensitive and any level of privacy you may have is merely a cloak of security via obscurity and nothing more. Only encrypted messages are protected from interception.