UCM makes plans to keep students safe from identity theft

Feb 4, 2010, 10:57 AM

By LINDSAY HURSHMAN Muleskinner

WARRENSBURG, Mo.--Despite a number of recent security breeches, UCM IT experts say the University’s core data system is secure.

When an unauthorized data access occurs, there is a considerable amount of extra work for the people working with Information Services, said F. Russell Helm, chief information officer for UCM’s Information Services.

“In this most recent case we have been discussing, in a 45-day period, over 500 staff hours were added to routine duties, and this number is still rising as the situation continues to be under investigation,” Helm said. “Since the staff time available is a fixed quantity, this takes away from other IS projects and services provided to the campus.”

Extra work can also mean more money spent. Helm said that when there is a need to quickly deal with an unexpected incident regarding technology, whether it is a security incident or a service interruption, it is not unusual to bring in additional external resources and vendor support at extra cost to UCM.

Information Services has to take immediate action when they are made aware of a possible security breach. The first step, Helm said, is to validate that a security breach did actually happen, and determine how it occurred. Then, the information services team takes the steps to secure the data and prevent the incident from reoccurring. This includes creating a variety of technical barriers and complex entry codes to prevent unauthorized access to confidential data.

To prevent another incident like this from happening in the future, Helm said that they are “addressing both the processes and technology utilized by faculty or staff, particularly in regard to data copied from the core database in the performance of their daily work.”

Helm said there has been no indication in the investigation so far that UCM’s ERP system banner, where official University data is stored, was the source of the data. Rather, copies of University data legitimately used by University officials in carrying out business were discovered in the hands of unauthorized individuals.

Former UCM student, Joseph A. Camp, 25, Ithaca N.Y., was arrested by the Federal Bureau of Investigation’s Internet Crimes Task Force in Rochester, N.Y., for allegedly stealing identification access and related pass codes.

Sgt. Matt Vessar, with UCM’s Department of Public Safety, said that Camp tried to sell a file containing 90,000 names and records to the FBI’s Internet Crimes Task force.

The FBI in Rochester, NY alerted UCM officials, and worked with UCM’s Department of Public Safety and Information Services to do a review of the data the FBI obtained from Camp. The review of this data led the investigation to another suspect, Daniel J. Fowler, 20, who was a UCM student that lived on campus and was a UCM employee. Fowler was then arrested by Vessar on charges, which have not yet been filed, for tampering with computer data. A statement by UCM reported that Camp and Fowler are believed to have worked together.

Not all of the names and records were UCM’s, said Jeff Murphy, assistant director of university relations for media relations.

Out of the file containing the 90,000 names, dates of birth and social security numbers, 550 of those matched UCM’s data, meaning that the social security number, last name, and first name in both the were the same.

“In all cases, when the middle initial and date of birth for the 550 records were compared, none of the [90,000] records were identical to University data,” Helm said. “In some cases, the [90,000]-record file contained information that UCM’s database did not contain. While it is difficult to prove a negative statement, the facts all indicate that it is far more likely that the file has a source that is not the University’s data.”

Less than one percent of the records in the 90,000-record file overlap with the data of persons associated with the University, he said.

How could this happen?

Records from UCM’s database are often duplicated in other places for legitimate business purposes of the University.

“For example, faculty or staff member may run written or electronic reports and use them quite appropriately in the fulfillment of their job duties,” Helm said. “It is possible for an unauthorized individual, be they a student or anyone else, to obtain information by stealing it, either from one of the legitimate copies used by faculty or staff, or by stealing a user ID/password and using that to log on to desktop systems used by faculty or staff members.”

In and unrelated incident, Camp was arrested in November 2009 on supiscipian of hacking into the Housing record management system and electronically crediting his account. That incident is still under investigation.

According to records from the New York State Department of Correctional Services, Camp was on parole since December 15, 2008 after a previous felony conviction for attempted burglary.

• Terms of Use
• Privacy
• Admin
• © 2009 digitalBURG.com, c/o UCM - Muleskinner, Warrensburg MO 64093
• RSS: