Harvard: Hard to get into, easy to hack

March 14, 2008 5:45:00 PM PDT
It's one of the hardest schools in America to get into, but not for hackers. Last month, at least one hacker launched an attack on a computer server at Harvard University, potentially viewing the personal information of up to 10,000 graduate students and applicants to the Graduate School of Arts and Sciences and posting some of the information on the Web.

Harvard officials began notifying thousands of students and applicants this week that some of their personal information, in some cases Social Security numbers, may have been accessed.

According to Harvard chief information officer Dan Moriarty, an attack was launched Feb. 16 on a server that contained applications for prospective students as well as the housing information of current students. About 6,600 of those applications included Social Security numbers.

The following day, the school took the server offline for five days to investigate the source of the attack.

Some of the information on the server was copied and ultimately posted on The Pirate Bay, a well-known bit torrent Web site where people can download movies and music.

For a short time, they could also access housing information and student ID numbers of a small number of Harvard graduate students. No Social Security numbers were posted on the site.

The university isn't sure whether thousands of more sensitive bits of information have been posted or used, hence the notification of anyone with personal information on the server.

"If you can, imagine the server like a pie. There was a slice of the pie that we know was copied and referenced," Moriarty said. "We cannot rule out that this [other] information may have been accessed."

The school is offering free access to credit monitoring services and credit reports to people whose information was exposed.

"We had an aggressive security program in place before and obviously we are continuing with that today," Moriarty said. "Our primary focus today has been on the individuals that may be impacted."

One of those affected is 27-year-old Ben Lee, a Harvard doctoral candidate in applied physics. Although Lee heard about the hacking when it originally happened in February, like many other students, he didn't realize the full extent of the incident until Thursday.

"When stuff like this happens and it goes online people at school find out really quickly," Lee said. "The feeling that I get from people is just that we're not really afraid that someone will take our bank accounts ... but just having such a security breach, that was surprising."

Although the school refused to say exactly how a hacker broke into the system, Lee had his own theories.

"I heard a rumor that some of the system administrators had really easy passwords so it was really easy to get in," Lee said.

But Moriarty says that this isn't the first time an attack has targeted Harvard; it's just the first time one has been successful.

"We are still investigating so there is still no definitive answer," he said. "As you can well imagine, there are ongoing hacking attacks on most machines on the Internet."

Universities are often a target for hackers who want access to computing power, not personal information, according to computer security expert and Georgia Tech assistant computer science professor Jonathon Giffin.

"Universities are targets to hackers because they have significant computing resources and have access to lots of things ... not necessarily because of the personal information," Giffin said. "There are large collections of computers in universities and that makes them interesting."