Indiana University, 5300 students, malware
According to an Associated Press article appearing in the Indianapolis Star,
Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said.
Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said James Anderson, the school’s director of information technology.
“You’re not going to find folks who are not malicious hackers who have access to these programs,??? Anderson said. “They are not something your average computer user would use. They are very cryptic and non user-friendly.???
The programs were accessed in early October, but it could not be determined whether any personal information was removed, the school said.
A letter was sent Friday to 5,278 students notifying them of the security breach. All of the students had been enrolled in an introduction to business course between 2001 and 2005.
Anderson said no misuse of personal information had been reported, but encouraged students who received the letter to take precautions, including a check of their credit report.
According to another report, Social Security numbers “were stored on the computer along with other records”.
Questions for IU:
1. Why did this instructor have information on enrollees for this course?
2. If (s)he taught the course, why was it necessary to maintain several years’ data regarding students? What, precisely, was the nature of the records this instructor had?
3. Who owned the computer on which the malicious programs were found? If it was the instructor’s personal property, why did it contain confidential personal information which students gave to the University?
4. Why did it take six months to discover this malicious software? Aren’t the “routine scans” performed more often?
5. What evidence supports the conclusion that the programs were last accessed in October?
6. If the affected computer is the instructor’s, what assurance has the University obtained that all backup media or internet-based backups made by the instructor are free of the students’ personal information?
7. Why were SSNs among the stored data elements?