Student accused in Texas data heist

Federal prosecutors on Friday charged a student of the University of Texas at Austin with breaking into the school's database and stealing 55,000 records earlier this month.

The student, 20-year-old Christopher Andrew Phillips, turned himself in to the U.S. Secret Service and was scheduled to appear in federal court Friday. The charges stem from data, which included the stolen records, gleaned from the student's hard drives, the U.S. Attorney's Office for the Western District of Texas said in a statement.

"On March 5, 2003, Secret Service agents carried out search warrants at Phillips' residences in Austin and Houston and seized several computers," the statement issued Friday said. "On a computer found in his Austin residence, agents recovered downloaded names and Social Security numbers and the computer program used to access the UT database."

The database--called "an administrative data reporting system"--holds general information about students, faculty and employees at the university, including people's name, Social Security number, e-mail address, title, department name, department address and department phone number.

A security flaw in the database's design allowed records to be accessed with only a valid Social Security number. Phillips is thought to have created a program that tried more than 3 million numbers, which resulted in approximately 55,000 records being found. His attorney could not be reached for comment.

The charges are a new twist in a case that began March 2, when University of Texas administrators noticed problems when accessing an administrative database. The school quickly realized that the loss of connectivity had been caused by an unauthorized user monopolizing the database.

Investigators haven't been so quick to name suspects in other recent cases involving data theft. In February, a data-processing center in Nebraska revealed that 8 million credit card numbers had been stolen from its servers, but no suspects have been named in that case. In addition, in January, the University of Kansas acknowledged that online attackers had snagged the records of 1,400 international students. That case also remains open.

The University of Texas at Austin is continuing to try to contact everyone whose information may have been put at risk by the online break-in. The school has created a Web site to help students and faculty know if their own data is at risk.

While law enforcement officials don't believe that any data has been leaked to the Internet at large, they warned that affected people should still watch their credit reports and other important information carefully. "Persons who may have been directly affected by this incident should remain on alert for possible misuse of their names and Social Security numbers and promptly report any suspected illegal activity to the United States Secret Service," the U.S. Attorney's Office said in the statement.