Hackers steal ID info from Virginia university

Thousands of students, faculty and staff at George Mason University have personal information downloaded by online intruders in a major security breach.

Declan McCullagh Former Senior Writer

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.

See full bio

Declan McCullagh

Jan. 20, 2005 5:05 p.m. PT

2 min read

George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.

The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET News.com that "the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards."

Hughes warned that campus community members should contact the major credit bureaus to flag their accounts for possible identity fraud. "It appears that the hackers were looking for access to other campus systems rather than specific data," Hughes wrote. "However, it is possible that the data on the server could be used for identity theft."

George Mason is a public university located in Fairfax, Va., a suburb of Washington, DC, with smaller campuses in Arlington, Va., and Prince William County. It reported 26,796 students enrolled as of fall 2002, and 3,908 faculty and staff members.

It also is home to the Information Security Institute, the Lab for Information Security Technology and the Center for Secure Information Systems, which has been designated a "Center of Academic Excellence" by the U.S. National Security Agency.

Last year, George Mason said it would cease to print Social Security numbers on campus ID cards and would instead generate unique "G numbers" for each student and each member of faculty and staff.

That was in reaction to a Virginia state law, enacted as a response to identity fraud concerns, that required state agencies and universities to change their practices. But the server with the ID card information still stored Social Security numbers in its database, according to the George Mason e-mail.

"We felt that the information there was secure," George Mason spokesman Daniel Walsch said on Monday. The school discovered the breach on Jan. 3 and university police are investigating, he said.

George Mason is not alone among universities in suffering a security breach. Two years ago, online intruders broke into a server containing the credit card numbers of some 57,000 patrons of a Georgia Institute of Technology arts and theater program, while others lifted more than 55,000 Social Security numbers from computers at the University of Texas at Austin. Last year, more than 1 million California residents had their personal information leaked thanks to a pair of incidents at UCLA and the University of California at Berkeley.