Western Connecticut State University on Thursday said that a database vulnerability on a system housing sensitive personal information resulted in approximately 235,000 individuals being exposed.
The vulnerable server maintained records collected by the university over a 13-year period, and was said to be vulnerable from April 2009 to September 2012.
Exposed information included names, addresses, social security numbers, and/or financial account information provided in association with transactions with the university.
The information was gathered in several ways, the University said, including when prospective students applied to the university, when filled financial aid forms were filled out, or when the university purchased lists of items like SAT scores.
The vulnerable information dated back to 1999, the University said. There is no evidence that records were inappropriately accessed, however.
The University did not provide specific details on the vulnerability, or what operating system or database software the server was running. A search on SHODAN shows a that a web server powering www.wcsu.edu runs Lotus Domino, but that certainly does not mean the affected database was using the same software.
“When he became aware of the issue on Sept. 26, 2012, WCSU President James W. Schmotter immediately activated the Board of Regents security incident response plan,” the University said in a statement. “The BOR Information Security & Policy Office conducted an investigation to determine what happened and identify and remediate security vulnerabilities campus-wide.”
Interestingly, the university set up a searchable database that contains the names of all affected individuals; hopefully that database is a bit more secure.
SecurityWeek did a test search using what we assumed to be generic (fake) information, using the last name “Smith” and last Four of a Social Security Number of “1234” – The query resulted in a notice which stated, “Based on our records, you may have been affected by this security incident.” To go one step further, we ran another query with what certainly was information that wouldn’t be in any databases, essentially populating the fields with a long string of random letters and numbers. That result: “We were unable to locate your records in our database. This does not mean however, that you have not been affected.” That doesn’t seem to be very useful to those curious to see if they were affected and exposed.
The university said that it has “dramatically increased its information protection capacity” with new layers of protection, and that it would continue to assess and improve all aspects of its information security program. The university also said that it has notified the Connecticut Attorney General’s office about the incident.