Harvard student database hacked, posted on BitTorrent

Harvard says about 10,000 of last year's applicants may have had their personal information compromised. At least 6,600 Social Security numbers were exposed. Worse, a compressed 125 M-byte file containing the stolen student data is currently available via BitTorrent, a peer-to-peer network.

In a statement published Monday night Harvard officials said the database containing summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information had been compromised. The server had been taken offline for several days last month to investigate the extent of the problem.

Most troubling are the 6,600 summaries from admissions candidates from the United States that were copied. Harvard officials said the data includes the applicant's name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.

A BitTorrent file containing the stolen data includes a note that reads in part "maybe you don't like it but this is to demonstrate that persons like tgatton(admin of the server) in they don't know how to secure a website." The BitTorrent file consists of a server backup of the GSAS site with a full directory structure and three databases: joomla.slq, the main database; contacts.sql which is a database of contacts; and hgs.sql, a miscellaneous file.

Harvard University has informed the affected students, and apologized for the error. The university said it would provide identity theft recovery services from Kroll Inc. to those who might potentially be affected.

[rdgadz]

thats a bad day for someone

how does something like this get solved?

[SysEng5]

Hacked by Fraud Protection companies?

Add this one to your conspiracy theories. It's far-fetched, but let your mind wander for a minute.

I am an Identity Theft protection company. I recently gave a presentation on my services to a large institution (Harvard, for example). I then either employ or have on staff a skilled "Black Hat" who then taps into and successfully takes confidential data (I pay him a bonus for his success). Once the breach becomes public (and I help facilitate that if needed), I make my services available to protect those affected.

Pretty crafty business model, huh?

[tacit]

No, not crafty at all

In fact, it'd be a pretty dumb business model. The risks are way
too high for a single contract. Should such a conspiracy come to
light--and it would, sooner or later--the company would be
ruined, and its owners would possibly be in the path of prison
time. It simply is not worth the risk to sign one deal with
Harvard--the deal just plain isn't worth that much money.

Besids, there's no need. There's plenty of profit to be made
cleaning up after genuine security lapses and compromises.
There's no need to go out making up your own business when
there's plenty of legitimate business to be had.

[biffhenerson]

Security is complex

Securing a site that is connected to any network is a complex task. In my experience, the people in charge of security are very very under qualified. In addition, people using the data such as a spreadsheet full of payroll information, have no clue that putting it in folder "x" will enable everyone in the company to read it. I would venture to say that most companies have exposed data and have no clue that it is exposed. I see it all of the time. If you want to make top dollar, become a security guru and swoop in and save these idiot companies. They obviously don?t care about your confidential data. They need to be sued back to the Stone Age by the students. Money talks. Losing money will cause change to happen. Shame on you Harvard. Apology not accepted.

[ajhoughton]

We don't know

Since we don't know what the security hole in question was, we
don't know if it's reasonable to assume that it would in the
normal course of business be fixed.

For instance, if this was a zero-day exploit of some software on
the server, then there is very probably nothing that could have
been done about it.

Or if it was a security hole that had been published recently, the
risk of upgrading the software *might* have outweighed the
benefit of fixing the hole. In the short term this is quite a
common determination; it's why (for instance) enterprises rarely
roll-out security hot fixes to all their machines the moment
they're made available. Some testing has to happen first, at the
very least.

Anyway, I think you are being disingenuous in blaming Harvard
for this. Regardless of whether or not the server was secure, the
fact is that it's the fault of some jumped up little script kiddie
who thinks it's a good idea to put 10,000 people at risk of
identity theft just to make some sort of point.

[fredtheviking]

Yes, but dubious at best

There is merit to your plan except it flies in the face of morals, but if from a amoral prespective there is still issues. There is a signicant risk that Havard chooses your competors. Not to mention risk of getting caught which would be one story the media pounce on. Your career and life would be done for.

The only upside I see is creating greater awareness of Identify Theft, which would help the industry as a whole not just your business. So, there is a lot of downside risk, little upside. So, no I think it very unlikely that it was a plan by a identify theft protection firm.

[flowersjustin]

I'd be more impressed if..

The hacker had sent a personalized email to each of the compromised persons explaining the situation and asking them to take action.

As it is, I find it hard to believe that this person had good intentions in mind when he bit-torrented secure information.

Ridiculous and immature.

[Balrob]

"Bittorrent" is a protocol not a place

Please don't blacken Bit Torrent's name with your ignorance.
It happens to be a superb protocol for data transfer - and for this reason was adopted very quickly by the media sharers.
However, it is just as applicable in legitimate downloads and even in corporate data deliver.

[AmyStephen]

Please correct incorrect reporting

This article is incorrect. Please re-read the Harvard announcement which clearly states that upon closer examination, it was determined that the server broken into contained sensitive data that *could have been* viewed. These data were *not released* on the torrent earlier reported.

Additionally, it should be clearly stated that the break in was accomplished by illegal use of the administrative password and ID to the server itself. The break in was not due to vulnerable software of any kind.

Thank you.

[vass]

harvard database hacked

The chinese do everything possible to undermine and steal all sensitive info from pentagon as well as all related industries,I wonder if they did not hack Harvard in order to gain extremely useful info about tomorrow's leaders.Any thoughts on that?

[bledsoetech]

Large databases of private information will inevitably be abused

There have been a number of interesting posts at techdirt.com (like for example http://www.techdirt.com/articles/20080225/134712350.shtml )that suggest that ANY time a large database of confidential information is created, it will be abused in some way. In other words, this compromising of data at Harvard University should be viewed as the rule, not the exception.