School Revamps Computer Security

Posted by Mark Brousseau

An interesting item from this week's Palm Beach Post:

UF to revamp computer security systems after second breach
By KIMBERLY MILLER

Palm Beach Post Staff Writer
Thursday, February 19, 2009

The University of Florida is revamping its computer security systems following the second breach in less than a year that has left the personal information of thousands of students, faculty and staff vulnerable.

The Gainesville school announced Thursday that a hacker broke into its "Grove" computer system, which contained information, including social security numbers, for more than 97,200 people.

In June, 11,300 students and alumni were told that their personal information had been posted online and available to the public for several years.

School officials said in both cases that they have no proof personal information was taken from the sites.

"We know someone was in there, we don't know why they were in there and we don't know what they were doing there," said UF spokeswoman Janine Sikes, about the most recent incident. "We are stepping up our vigilance even more knowing that we've had these breaches."

The recent break-in was discovered Jan. 14 during a routine audit of the system. The program was immediately shut down and university police were notified.

Letters alerting people to the breach were mailed Wednesday.

Sikes said there was a delay in notification because it took two weeks to do the computer forensic work to see whose information may have been compromised. Preparing letters for more than 97,200 people and setting up a call center took another two weeks.

The information that may have been illegally accessed includes that of anyone who used the Grove computer system between 1996 and 2009.

About 3,075 Palm Beach County students attend UF. Another 412 are Martin County residents, and 345 hail from St. Lucie County.

The Grove system provided an online location for faculty to post course materials and class information. It also supported one of the few free e-mail services available on campus.

To verify identification, the system required students to enter their UF identification number, which until 2003 was also their social security number. Faculty records housed on the system also included student UF identification numbers.

Sikes said the system has now been retired.

University officials believe part of the reason for their vulnerability is that the school operates on a decentralized system where computer capabilities differ by college and department.

"We are moving ahead to centralize information technology functions so that we can create consistent approaches to security," Sikes said.