The attackers, using IP addresses from China and Australia, stole 22,396 SSNs associated with anyone who worked in the university's system in 2004 who were also current or former students.
The university has campuses in Columbia, Kansas City, Rolla and St. Louis.
The school's IT security personnel on Thursday first noticed suspicious activity on a computer help-desk application, and by Friday morning they identified a large series of query errors being made to that application and its associated database, according to a university statement.
Soon after, technicians disabled the account used by the two malicious IP addresses, but by then hackers had already made off with the sensitive data. They retrieved the information "through a webpage used to make queries about the status of trouble reports" to the IT help desk on the Columbia campus, according to the university statement.
"The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time," according to the statement.
School spokesman Scott Charton told SCMagazine.com that the intruders accessed the data in a report that "probably should have been expunged but was not." It did not, however, contain any financial information, and there is no evidence that any of the data has been misused.
The university has already answered 1,800 calls and 400 emails from victims, and it plans to send out 13,000 notification letters via regular mail today, Charton said.
Ironically, SC Magazine recently spoke with Becky Thurmond Fowler, systems security analyst of IT at the University of Missouri in Columbia, for a story about the SANS Institute’s new push to educate application developers on security.
Fowler coordinates a college initiative called SafeWeb, which seeks to raise campus awareness about the need to implement security in applications.
Reached today, she deferred questions about the hacking incident to Charton.
David Larson, director of product management at Maynard, Mass.-based data security firm Tizor Systems, told SCMagazine.com that universities should deploy software that monitors back-end databases in real time.
"You're like a bank," he said. "You should view your data like a vault. And there is no vault that doesn't have cameras in it."
This is the latest in a series of computer intrusions affecting major universities. Ohio State, University of California, Los Angeles, and Texas A&M have lost hundreds of thousands of records to hackers in recent months.
Experts have said colleges are frequent targets of hackers because some schools employ sub-par security, while other industry professionals think cybercrooks prefer stealing identity information about students, who likely have better credit than older Americans.
Hackers steal 22,000 Social Security numbers from University in US
By Dan Kaplan on May 10, 2007 10:17AM