Illinois university hit with security breach

The university said it mailed the last of its notifications on Monday to people whose Social Security number, credit card account number and other sensitive information were on the student service servers in the security breach.

"The breach occurred on June 5 through our electronic student services system servers. They do frequent checks on their system and discovered the breach within hours after it occurred," said Darcie Shinberger, a spokeswoman for Western Illinois University.

The incident affects alumni and students who attended the institution between 1983 to the present, as well as 1,000 individuals who were there from 1978 to 1982. Anybody who purchased items online from the university's bookstore or who stayed at the university union hotel also may have had their data exposed, Shinberger said, but could not specify a date range.

The hacked servers house Western's electronic student services system, which is used to run the university's admissions Web site, financial aid, bookstore and hotel.

Western Illinois University distributed e-mail notices to those affected on June 15 and began following that up with mailings last week. It has not received any reports from its public safety office of individuals having their personal information compromised as a result of the incident, Shinberger said.

For the school to say it has no evidence that private information has been used to commit identity theft is disingenuous, said Avivah Litan, an analyst at research firm Gartner. Unless a school has taken an extensive review over an extended period, there's no sure way of determining whether the hackers have profited from the information, Litan said.

In addition, victims of identity theft will often turn to other sources to report the problem, such as their credit card companies or local police, before notifying the place where the breach occurred.

Following the incident, Western Illinois University, which serves 13,400 students and has an alumni base of 95,000, began installing new security measures. It is reviewing its policies for storing information and handling online credit card information.

The security breach is not the first for the university. A few years ago, a student broke into Western's computer system and began rifling through his or her own virtual records.

"We have never had anything of this magnitude. This is a first for us," Shinberger said. "There are always risks when doing business online."

Perhaps one of the strongest indicators of the level of security at U.S. universities is that even after a string of major breaches at such places as Ohio University, Notre Dame University and the University of Texas, hackers continue to find their way into college computer systems.

The pervasiveness of security breaches there stem, in part, from the way educational institutions are set up. Universities and colleges desire an exchange of ideas and information and, as a result, maintain relatively open networks. Security experts have noted that this situation may well be to blame for security breaches at institutions.

CNET News.com's Greg Sandoval contributed to this report.