Boston College reveals alumni data breach
School alerts more than 100,000 former students of an attack on a database that holds records used for fund raising.
College representatives said Thursday that the school was the target of a virus attack on a computer housed in a campus calling center used by students to solicit donations from alumni. According to Boston College spokesman Jack Dunn, the machine in question is managed by a third-party IT service, which the school has chosen not to publicly identify.
Dunn said the company noticed a spike in the computer's activity during a routine maintenance operation and discovered a virus on the device that was attempting to use the database to launch attacks on other systems. The machine was then taken offline and examined in order to determine the extent of the attack.
No other computers were found to be affected by the virus, he said.
Although the investigation bore no evidence that hackers may have accessed alumni information stored on the database, which included individuals' Social Security numbers and other personal details, the school decided to inform all the people whose records may have been compromised.
The college has not received any reports of identity fraud related to the incident, Dunn said, but he noted that the school wanted to be cautious and inform the alumni of the potential for such attacks.
"We thought it was necessary to send out the precautionary advisory to alert the alumni and to offer them steps that they could take to ensure their privacy," he said.
In addition to sending warning letters to affected alumni, Boston College also has created a Web site and telephone hotline to handle inquiries into the break-in.
Dunn said the college will also purge individuals' Social Security numbers from all of its records in the future. He said schools have long used the identifiers to keep track of people in a number of ways but noted that increasing concerns over the security of computing systems used to store the information have caused the college and others to review the policy.
Boston College's potential data leak follows a similar incident at Virginia's George Mason University in January, in which hackers gained access to the personal information, including Social Security numbers, of more than 30,000 students, faculty and staff. As a result of the attack, the university promised to change the manner in which it uses Social Security numbers to identify people, including striking the codes from its campus IDs.
Consumer data protection issues have been thrust into the spotlight over the last month, as high-profile break-ins at companies such as ChoicePoint and a subsidiary of LexisNexis have exposed flaws in the defense systems and business policies of so-called data brokers.
Politicians such as U.S. Sens. Patrick Leahy and Dianne Feinstein, as well as independent privacy rights organizations have used those incidents as an opportunity to call for more comprehensive consumer data protection laws.