Defense in Depth Subscribe to Defense in Depth

March 13, 2008 9:17 AM PDT

Harvard student database hacked, posted on BitTorrent

Posted by Robert Vamosi

Harvard says about 10,000 of last year's applicants may have had their personal information compromised. At least 6,600 Social Security numbers were exposed. Worse, a compressed 125 M-byte file containing the stolen student data is currently available via BitTorrent, a peer-to-peer network.

In a statement published Monday night Harvard officials said the database containing summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information had been compromised. The server had been taken offline for several days last month to investigate the extent of the problem.

Most troubling are the 6,600 summaries from admissions candidates from the United States that were copied. Harvard officials said the data includes the applicant's name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.

A BitTorrent file containing the stolen data includes a note that reads in part "maybe you don't like it but this is to demonstrate that persons like tgatton(admin of the server) in they don't know how to secure a website." The BitTorrent file consists of a server backup of the GSAS site with a full directory structure and three databases: joomla.slq, the main database; contacts.sql which is a database of contacts; and hgs.sql, a miscellaneous file.

Harvard University has informed the affected students, and apologized for the error. The university said it would provide identity theft recovery services from Kroll Inc. to those who might potentially be affected.

Topics:: Criminal Hackers,; Security

Tags:: security,; Harvard,; data theft,; identity theft,; identity fraud,; GSAS,; Kroll,; Social Security numbers,; BitTorrent

Bookmark:: Digg; Del.icio.us; Reddit

Recent posts from Defense in Depth: ZoneAlarm virtualizes the desktop Internet browser; Yahoo e-mail accounts compromised for spammers' use; Skeleton key unlocks Microsoft SQL servers in latest Web attack; Web browsers and other mistakes; Goodbye Storm, Hello Srizbi

Add a Comment (Log in or register) 11 comments (Page 1 of 1)

thats a bad day for someone
by rdgadz March 13, 2008 9:45 AM PDT: how does something like this get solved?; Reply to this comment

Hacked by Fraud Protection companies?
by SysEng5 March 13, 2008 10:13 AM PDT: Add this one to your conspiracy theories. It's far-fetched, but let your mind wander for a minute. I am an Identity Theft protection company. I recently gave a presentation on my services to a large institution (Harvard, for example). I then either employ or have on staff a skilled "Black Hat" who then taps into and successfully takes confidential data (I pay him a bonus for his success). Once the breach becomes public (and I help facilitate that if needed), I make my services available to protect those affected. Pretty crafty business model, huh?; Reply to this comment View reply
Processing

Security is complex
by biffhenerson March 13, 2008 10:22 AM PDT: Securing a site that is connected to any network is a complex task. In my experience, the people in charge of security are very very under qualified. In addition, people using the data such as a spreadsheet full of payroll information, have no clue that putting it in folder "x" will enable everyone in the company to read it. I would venture to say that most companies have exposed data and have no clue that it is exposed. I see it all of the time. If you want to make top dollar, become a security guru and swoop in and save these idiot companies. They obviously don?t care about your confidential data. They need to be sued back to the Stone Age by the students. Money talks. Losing money will cause change to happen. Shame on you Harvard. Apology not accepted.; Reply to this comment View reply
Processing

Yes, but dubious at best
by fredtheviking March 13, 2008 10:33 AM PDT: There is merit to your plan except it flies in the face of morals, but if from a amoral prespective there is still issues. There is a signicant risk that Havard chooses your competors. Not to mention risk of getting caught which would be one story the media pounce on. Your career and life would be done for. The only upside I see is creating greater awareness of Identify Theft, which would help the industry as a whole not just your business. So, there is a lot of downside risk, little upside. So, no I think it very unlikely that it was a plan by a identify theft protection firm.; Reply to this comment

I'd be more impressed if..
by flowersjustin March 13, 2008 2:19 PM PDT: The hacker had sent a personalized email to each of the compromised persons explaining the situation and asking them to take action. As it is, I find it hard to believe that this person had good intentions in mind when he bit-torrented secure information. Ridiculous and immature.; Reply to this comment

"Bittorrent" is a protocol not a place
by Balrob March 14, 2008 2:33 PM PDT: Please don't blacken Bit Torrent's name with your ignorance. It happens to be a superb protocol for data transfer - and for this reason was adopted very quickly by the media sharers. However, it is just as applicable in legitimate downloads and even in corporate data deliver.; Reply to this comment

Please correct incorrect reporting
by AmyStephen March 14, 2008 3:44 PM PDT: This article is incorrect. Please re-read the Harvard announcement which clearly states that upon closer examination, it was determined that the server broken into contained sensitive data that *could have been* viewed. These data were *not released* on the torrent earlier reported. Additionally, it should be clearly stated that the break in was accomplished by illegal use of the administrative password and ID to the server itself. The break in was not due to vulnerable software of any kind. Thank you.; Reply to this comment

harvard database hacked
by vass March 14, 2008 5:08 PM PDT: The chinese do everything possible to undermine and steal all sensitive info from pentagon as well as all related industries,I wonder if they did not hack Harvard in order to gain extremely useful info about tomorrow's leaders.Any thoughts on that?; Reply to this comment

Large databases of private information will inevitably be abused
by bledsoetech March 17, 2008 6:40 AM PDT: There have been a number of interesting posts at techdirt.com (like for example http://www.techdirt.com/articles/20080225/134712350.shtml )that suggest that ANY time a large database of confidential information is created, it will be abused in some way. In other words, this compromising of data at Harvard University should be viewed as the rule, not the exception.; Reply to this comment

Powered by Jive Software

About Defense in Depth
With over eight years at CNET covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews with the top security researchers making the news as well as offering the hands-on, non-technical advice you'll need to stay safe online.

Subscribe to this blog
Click this link to view this blog as XML.

Add this feed to your online news reader

Defense in Depth topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

Resource center from News.com sponsors

You can do more when your phone runs Windows ®

CNET.com

Welcome (log out) |View profile

Log in | Sign up Why join?

On CHOW: Listen to Top Chef podcasts

Start Doing More with Windows Mobile

Copyright ©2008 CNET Networks, Inc. All rights reserved.
Privacy policy
Terms of use