The UA is taking steps to strengthen its online security after a hacker gained access to a web server in the James E. Rogers College of Law in July.
The personal information of thousands of former students in and former applicants to the college was mistakenly stored on the server.
“That’s one of the reasons why the College of Law is taking all these measures to minimize harm — because we’re responsible,” Sigurdson said.
The server, which was housed in the College of Law building, hosted the college’s public website and its local intranet and also stored data — including passwords and social security numbers, said Chris Sigurdson, the UA’s senior communications adviser.
The hacker gained access in late July, and since the discovery of the breach, the college has sent personal letters to the 9,080 individuals who were potentially affected to notify them of the situation. The college is offering 12 months of free credit monitoring through Experian for any of those affected.
“[We took a] substantial [amount of] time here at the law school, with support of the university, to make sure we understood who was involved and to figure out the most effective way to respond,” said Marc L. Miller, dean of the College of Law.
The University of Arizona Police Department was informed of the incident and brought in the FBI, which is currently investigating the case, Sigurdson said.
“We took it offline so it wouldn’t be available to anybody,” Sigurdson said. “Then it was surrendered to the FBI and the University of Arizona Police Department for their investigation to try to find out who got in.”
Once the digital intruder hacked into the system, the information, which Sigurdson said wasn’t supposed to have been stored on the server in the first place, could have been accessed.
“In some cases, it was the combination of name, social security number and other personal identifying information,” Sigurdson said. “In other cases, it was their login and password for an intranet.”
Because the data in question was all entered into the server around 10 years ago, only former students and former applicants to the College of Law could have been affected, Sigurdson said, adding that a small number of employees’ information was also accessible to the hacker.
After officials found out about the incursion, the server was immediately shut down.
A newer, more secure server has been installed since the removal of the compromised server, Sigurdson added.
Current students aren’t as vulnerable to such intrusions because the UA stopped using social security numbers to identify students in 2008, except where required by law, Sigurdson said.
Miller said he and his colleagues are doing everything they can to rectify the situation.
“We are sorry that it occurred. It’s always frustrating when events like this happen,” Miller said. “We’re doing our best to make sure that no one is harmed and that we make sure it doesn’t happen in the future.”
– Follow Mark Armao @MarkArmao