Forum to address security breach

Earlier this month a mistake in the bursar's office allowed thousands of students' names and Social Security numbers to be downloaded to a computer in Sweden, University officials said.\nToday those students will have a chance to get their questions answered.\nThe Graduate Student Organization is sponsoring a public forum on the security breach at 5:30 p.m. in Jordan Hall Room 124, said GSO moderator John Mersch, a graduate student.\nThe forum is a chance for students to air their concerns, ask University representatives what happened and find out what they should be doing to protect their personal information and accounts, Mersch said.\n"We are displeased with the University's actions," Mersch said. "We believe the University needs to come forward to the public with full disclosure (of) exactly what has been stolen, when it happened and what precautions are being taken to prevent this in the future."\nFive speakers have agreed to attend the panel: Bursar Susan Cote, Director of Student Legal Services John Irvine, University Information Technology Services Assistant Director Mark Bruhn and representatives from the IU Police Department and the University administration, Mersch said.\nEach speaker will have five minutes to address students about the incident, which occurred after a security step was skipped and a bursar office server was left unprotected.\nSomeone found and used the memory available, said Perry Metz, assistant vice president for external affairs. He said the computer was not hacked, which would require someone to break the computer's security provisions.\nIn this case, he said, someone scanning the Internet probably found server space on the University's computer and used it to store multimedia files. \nMetz said he doesn't believe the person deliberately downloaded students' names. The download was traced to an IP address at a university in Sweden, he said.\nStudents' information could have been downloaded as early as Jan. 25, University spokeswoman Susan Dillman said. The University investigated the incident from Feb. 7-16, she said, and students were informed in a letter dated Feb. 22.\nMetz said the information technology team took 10 days to issue their report.\n"Then it took an additional week for us to match the names with ID numbers, print the letters and get them in the mail," Metz said.\nMetz said scans of the Internet have turned up no evidence of students' information being available.\nA similar incident, in which Social Security numbers of faculty were released to the Internet, occurred in 1997. A privacy advocate located the names and ID numbers of hundreds of professors and posted them to make a point about privacy, Metz said.\nMetz said measures are being taken to prevent future breaches in security.\nThe Information Technology Security Office has scanned all bursar machines and reviewed security procedures, Metz said.\nContrary to the worries of some students on campus, names and ID numbers were the only pieces of information released, Metz said.\nMetz said IUPD is investigating and the FBI has been notified.\nIUPD has taken about 200 reports from students affected by the security breach at the bursar's office, IUPD Lt. Jerry Minger said. So far none of the students have experienced any fraudulent activity on their financial accounts, he said. \nIndividuals affected by the breach do not need to notify IUPD unless they feel there has been a fraudulent act committed, Minger said.