IU Information Security responds to hacking of President's Challenge website

Last semester the President’s Challenge website tracked IU employees’ nutrition and exercise progress throughout their participation in the Healthy IU fitness competition.

On Jan. 19, those same IU employees received an email from President’s Challenge officials delivering some alarming news.

“We are writing to inform you about a security issue involving the President’s Challenge website,” the email began. “Hackers recently accessed our database.”

The security breach gave hackers personal information such as names, email addresses, birth dates and nutritional data of about 650,000 President’s Challenge participants nationwide, including IU employees who participated in the inter-campus challenge.

“As it turns out, though, no financial information was available to the hacker,” Director of University Communications Ryan Piurek said. “And it’s been determined that only a small percentage of participants in the President’s Challenge programs could have social security numbers at risk.”

Healthy IU Director Patty Hollingsworth emailed University employees the following day to notify those on the IU Employee Health and Wellness mailing list.

Because the President’s Challenge office, which administers physical fitness tests in 32,000 schools across the country, is located on the Bloomington campus, the University Information Security Office assisted in response to the breach.

Hollingsworth’s email, a notification to parties affected by the breach, was one of the steps in a recovery plan devised by the UISO, which does not do any of the “hands on” work in repairing the damage, but coordinates a response plan to the hacking.

“We have an incident response process that we use to make sure we handle incidents appropriately and as quickly as we can,” Chief Security Officer Thomas Davis said.

“When an incident occurs, an Incident Team will be assembled to advise and assist in containing the exposure, investigating the incident and notifying the affected individuals and agencies.”

Soon after President’s Challenge staff learned of the hacking on Jan. 11, IU Communications shut down the site and assessed the damage, Piurek said. The President’s Challenge staff is in the midst of implementing the plan outlined by the UISO.

“The site’s back up and running, and we’re confident that it’s again secure,” Piurek said. “Still, we’re continuing to work with our IT security engineers to discover the extent of the data that was compromised and taking steps to strengthen our security procedures and protect all future activity within the website. This process is well underway, but it will take time.”

The time it takes to recover from a security breach depends on how complicated or involved the incident is, Davis said. Usually, it takes two to three days, but more serious occurrences can take a week or longer.

Davis said incidents like the one with the President’s Challenge website are rare. Privacy Rights Clearinghouse, a nonprofit organization that tracks “high-profile” security breaches, has a record of three incidents at IU.

The first of the three incidents occurred in November 2005, when a hacker accessed the information of 5,278 students enrolled in introductory courses at the Kelley School of Business on the Bloomington and Indianapolis campuses. The hacker also accessed the social security numbers of nearly 4,800 of said students.

Most recent was an incident last September. More than 3,000 patients at the School of Medicine in Indianapolis were affected when a laptop containing sensitive information was stolen from a physician’s car.

Davis said students should be educated about current threats, such as phishing scams, in order to protect their information online from ill-intentioned Internet users.

Being aware of personal information posted on the web is just the beginning, he said.

While sharing things like wireless networks and computers might be convenient, he said, doing so compromises security for the sake of convenience.

“You don’t have to be a super geek or understand everything about technology to be secure,” Davis said. “You just have to be vigilant and cautious, and you should have a good idea where to start.”

For more information, visit protect.iu.edu.