UMaine working with law enforcement, information security to investigate computer breach

A University of Maine computer server has been breached by hackers, potentially exposing personal information of individuals who made purchases through campus-based computer stores at UMaine and the University of Arkansas.

While law enforcement’s forensic analysis of the data continues,early estimates are that up to 1,007 online-only transaction records —including names and partial credit card numbers — from the University of Arkansas were on the server. At UMaine, 2,818 unique identifiers were discovered on the server, which may include as many as 435 credit card numbers and 1,175 social security numbers.

It is still unclear whether any of the data was compromised by the hackers.

“Any time these attacks occur anywhere in the world, it heightens our awareness and vigilance,” says Janet Waldron, UMaine vice president for finance and administration. “We are committed to maintaining the best computer security efforts to prevent such attacks and safeguard institutional data. It is a constant battle.”

Since 2007, the University of Arkansas was licensed to use a Web-based tool called Buyers Search Assistant (BSA), a supply chain analysis and marketing system developed in 1999 by UMaine’s Computer Connection, a campus-based computer store. The compromised BSA server supported only online sales of campus computer stores. It is an isolated system that has no relationship with any other UMaine computer systems containing other student or university data.

The BSA system was being phased out at the time of the hacking.

University of Arkansas officials first learned of the security breach April 27 through a story posted on the Softpedia website by a hacker activist group.

When the University of Maine System Information Security Office was notified, the computer server was taken offline and local, state and federal law enforcement agencies were contacted, according to John Forker, chief information security officer for the University of Maine System who is leading the investigation.

Members of the UMaine Police Department, the Maine Computer Crimes Unit of the Maine State Police, the FBI, the University of Maine System Information Security Office and UMaine’s Information Technologies Office began on May 2 retrieving data from the server hard drives for forensic analysis. IT experts at the University of Maine System, UMaine and the University of Arkansas have been analyzing the data to understand the extent of the breach. Analysis by law enforcement agencies hopes to shed light on how it happened.

Both the University of Arkansas and UMaine reported a breach of personally identifiable information (PII) as required by the laws in each state.

The University of Arkansas is working to ensure that its affected cardholders receive notice of the breach. UMaine has engaged the AllClear ID Identity Protection Network to help contact the Computer Connection’s affected customers and provide them with at least 12 months of identity protection at no cost. Those services include credit monitoring, alerts regarding credit changes and identity theft insurance.

Each person potentially affected will receive a letter with customized information about accessing these identity protection services at UMaine’s expense.

The University of Maine also experienced a computer security breach in 2010. At that time, two servers were compromised when hackers allegedly accessed personal data from the campus Counseling Center of an estimated 4,585 students. Forensic analysis ultimately revealed that no personal data was uploaded or shared.

While computer intrusions are a continual challenge, extensive efforts taken by the University of Maine System have helped identify, prevent and reduce breaches of information. In early 2011, the University of Maine System Board of Trustees approved the creation of an information security policy and plan that put in place a series of actions and protections, including a four-member Office of Information Security dedicated to network and systems security across the statewide system. That group works in conjunction with dozens of campus-based staff.

Vulnerability scans are performed quarterly on more than 1,500 server systems. In April 2012, a statewide employee information security awareness training program was implemented and, to date, completed by more than 2,500 faculty and staff systemwide. UMS also is working with all vendors to ensure that third-party contractors safeguard university data.

Most recently, UMS contracted with a computer network monitoring service offered by the company Solutionary to implement intrusion detection sensor equipment for monitoring all campus networks.

For more information see an online information center.

Contact: Margaret Nagle, 207-581-3745, nagle@maine.edu