The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET News.com that "the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards."
Hughes warned that campus community members should contact the major credit bureaus to flag their accounts for possible identity fraud. "It appears that the hackers were looking for access to other campus systems rather than specific data," Hughes wrote. "However, it is possible that the data on the server could be used for identity theft."
George Mason is a public university located in Fairfax, Va., a suburb of Washington, DC, with smaller campuses in Arlington, Va., and Prince William County. It reported 26,796 students enrolled as of fall 2002, and 3,908 faculty and staff members.
It also is home to the Information Security Institute, the Lab for Information Security Technology and the Center for Secure Information Systems, which has been designated a "Center of Academic Excellence" by the U.S. National Security Agency.
Last year, George Mason said it would cease to print Social Security numbers on campus ID cards and would instead generate unique "G numbers" for each student and each member of faculty and staff.
That was in reaction to a Virginia state law, enacted as a response to identity fraud concerns, that required state agencies and universities to change their practices. But the server with the ID card information still stored Social Security numbers in its database, according to the George Mason e-mail.
"We felt that the information there was secure," George Mason spokesman Daniel Walsch said on Monday. The school discovered the breach on Jan. 3 and university police are investigating, he said.
George Mason is not alone among universities in suffering a security breach. Two years ago, online intrudersa server containing the credit card numbers of some 57,000 patrons of a Georgia Institute of Technology arts and theater program, while others more than 55,000 Social Security numbers from computers at the University of Texas at Austin. Last year, more than 1 million California residents had their personal information leaked thanks to a pair of incidents and .