Hacker hits music school

A computer security breach in the School of Music gave hackers the opportunity to access more than 1,700 individuals' Social Security numbers, including nearly 150 IU students, University officials said Monday. The breach occurred on two School of Music Web servers which contained personal information voluntarily submitted by individuals requesting more information about the school.\nThe problem first came to the attention of School of Music technicians June 4, at which point they contacted the University IT Security Office (ITSO). They were advised by the ITSO Security Engineer that night to disconnect the affected computers from the network to prevent further tampering and protect any evidence on the machines.\nThe files on the two servers consisted primarily of pages for the School of Music Web site. But one page on the site contained a form allowing individuals requesting more information about the School of Music to submit personal information. An optional field in the form gave those people the opportunity to submit their Social Security Number. That information, including the Social Security Number, was then kept on the Web server until it was archived and wiped from the server. The last time such a cleaning took place was October 2000. Since then, about 1,900 individuals had submitted their information, of which 1,718 had included their Social Security Numbers. School of Music Dean Gwyn Richards estimated that 148 of those were IU students.\nThis incident follows a security breach in the University Bursar's office earlier this year which gave hackers access to the names and Social Security Numbers of 3,100 students. In that case, it was determined that information was downloaded to a computer in Sweden.\nIU Information Technology Policy Officer Mark Bruhn said they did not believe that the hackers broke into the School of Music servers with the intention of accessing personal information. He said the discovery of hacking tools and Internet Relay Chat programs installed on the Web servers by the hackers lead him to believe they hoped to use the servers as a "safe haven" to store their software.\n"All the evidence leads us to believe they were here to put these programs on this system," Bruhn said in a press conference Monday.\nThe intruders cleaned the server's log files following their activity. According to a final report delivered to Bruhn by UITS technicians June 8, this action made it impossible to determine whether the hackers accessed any of the personal information stored on the servers. \n"They covered their tracks very well," Bruhn said.\nThe report said the presence of the hacking tools meant it was "unlikely" that hackers accessed the files.\n"We can be fairly certain their purpose was not to get this information," Richards said.\nSchool of Music officials have already begun implementing a plan to inform the individuals whose information might have been accessed of the breach. An e-mail and letter were sent to all 1,900 potentially affected individuals Monday afternoon, and a toll-free number has been set up to field questions from those individuals. The phone service will be staffed by School of Music personnel, and will be operational from 6 a.m. to 6 p.m. until June 20. The University will also reimburse individuals for the cost of obtaining a credit report up to three times during the next year.\nThe School of Music's Office of the Dean said Wednesday it had already received about two dozen e-mails in response to the notification. No one had reported any credit problems that could result from a Social Security Number theft.\n"Most of them have been 'thank yous' for letting them know," said Jennifer Naab, who works in the Dean's office. \nIndividuals with questions related to the security breach can call 1-800-937-3448 from 6 a.m. to 6 p.m. until June 20, or visit www.music.indiana.edu/security.html.