U Nebraska Breach Could Hit 654,000 Student Records

• By Dian Schaffhauser
• 05/30/12

An Oracle PeopleSoft-based student information system in place since 2010 has been breached at the University of Nebraska Lincoln. The hacked database contains personal records for students, alumni and applicants of the university's four campuses. According to some media reports, the database contains 654,000 records going back to 1985. However, currently, the university is especially concerned about the data for 30,000 people who specifically had banking information stored in the system.

According to a question-and-answer page on a new security Web page created by the university, a Computing Services Network staff member discovered on May 25, 2012, Friday, that somebody had gained access to the student system. "This was a sophisticated and skilled attack on our system that was discovered and shut down within hours of its discovery," the FAQ stated. It didn't provide details about how the breach occurred.

That particular database contains records for students, parents, employees, alumni, and applicants, for managing admissions, housing, and course registration. It holds Social Security numbers, addresses, transcripts, grades, and other student data, as well as personal and financial information of parents of students who had applied for financial aid and university staff members. However, the database contains no credit card information.

U Nebraska sent a letter to those whose financial information is vulnerable, advising them to monitor their financial accounts "closely in the coming weeks" and to report suspicious activities to their banks. The same letter also suggested they place a fraud alert on their credit files. The university hasn't offered to pay to provide that service free to those who could be affected.

So far, said Information Security Officer Joshua Mauk, there has been "no clear evidence" that anybody's personal information was actually downloaded. Nor have there been any reports of identity theft related to the breach.

Technical staff have been working "around the clock," Mauk said, to identify other individuals who may be at increased risk. "It is our responsibility to continue to notify those potentially impacted by this breach as quickly as possible."

According to Mauk, the institution is working with law enforcement to establish the extent of the breach. The university has also has hired a firm specializing in data breaches to assist in a forensics investigation.

The university recommended that anybody whose information could be contained in the system refer to a Federal Trade Commission Web site offering guidance about identity theft.

The near-$30 million system, based on PeopleSoft Campus Solutions, was set up in 2010 after a multi-year implementation. At the time the selection of PeopleSoft was announced, Nebraska State College System's Chancellor Stan Carpenter said, "We believe that Oracle offers the best combination of functionality, support, and cost-effectiveness, and we are confident that the Campus Solutions system will provide excellent accountability and reliable records management."