Print this article | E-mail this article | Comment on this article

Harvard server hacked, database of student data on BitTorrent

By Tim Conneally, BetaNews

March 13, 2008, 4:00 PM

Harvard, the Ivy-league bastion of higher learning released a statement on Monday that its database of applicants to the Graduate School of Arts and Sciences from last year was compromised.

As many as 10,000 applicants could have had their information exposed, with at least 6,600 comprehensive profiles that include names, Social Security numbers, dates of birth, mailing and e-mail addresses, phone numbers, test scores, and school records.

A small number of student records even included details as specific as personal health issues and food allergies.

The statement said the extent of the hack was not fully revealed in the initial examination. However, the hackers made the degree of their compromise visible, by availing all the information on BitTorrent as a 125MB file containing a backup of the GSAS site, including the full directory structure and its three databases.

According to the host of the file, the hack was executed to show that the server's admin does not know how to secure a Web site.

That seems to be an echo of the 2004 case of two first-year students hacking into Oxford's computer system and publishing a front page story about it in the Oxford Student. While those students claimed to only have the security of the school in mind, the result was more a mockery of the school's inferior IT department.

The GSAS' administrative dean said the school is "truly sorry" for the incident and is notifying and apologizing to everyone in the database. The school will be paying for identity theft recovery services for all parties involved.

Add a Comment (10 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By ryback

edited Mar 17, 2008 - 6:35 AM

I believe hacking to unveil security flaws in a system is OK as long as you don't use the flaw maliciously. Inform the administrator of his errors and move on. If he choose to ignore the information so be it.

Posting the info you find on the internet is not a very nice thing to do. It affects thousands of innocent people in a very negative way. To the people posting this info - shame on you! You give hackers a bad name!

Score: 0

By Zoroaster

posted Mar 15, 2008 - 8:26 PM

The common point between mafia and hackers of this sort is they both desperately try to justify their actions by a reference to superior aims. Sick brains.

Score: 0

By Registered

posted Mar 13, 2008 - 10:04 PM

According to the host of the file, the hack was executed to show that the server's admin does not know how to secure a Web site.

this statement is confusing, was it the website that was hacked, or the database server, because by distinction there usually seperate,

or does this mean, the website, was hacked, then the database (SQL, ORACLE) Ect. meaning the database server thought it was the website system asking for info, when in fact it was a user copying all the info,

reason i'm confused, most database files are not located on the same system as the website is running, not just for security, but for longterm maintinence and resource efficiency.

still i'm shocked either way, another case where Encryption is not being used effectively, don't tell me.... they used just the one password for all the data, no excuses for stupidity.

Score: 0

By nasserd

posted Mar 14, 2008 - 9:30 AM

Most schools have niche projects which follow absolutely no rhyme or reason pertaining neither proper nor academic security procedures. These rogue setups are part of the 'underbelly' and 'never trust IT in academia' remarks stated earlier.

That said, they probably ran everything on the same machine! Get in via a vulnerable port (especially within the network) and you can copy the db files directly.

Score: 0

By Paul Skinner

posted Mar 14, 2008 - 6:14 AM

SQL Injection is most likely.

That's done via the website, possibly through the URL, or maybe through some imput box or other.

Score: 0

By ingram091

edited Mar 15, 2008 - 6:38 AM

That's the most common issue yes. It happens to many firms and groups frequently. Unless you have a good DB admin that watches for such things in the logs its hard to catch at times.

Unfortunately IT employment is lacks worldwide. Indeed a very large majority of it is outsourced to contractors. Having an IT staff full time is part of what keeps companies safe from such things. Problem is most places don't see how to justify paying a person or persons to do so unless there is a problem. Thing is IMHO an IT staff is suppose to be on hand to prevent such things, not have to clean up the mess. Its very hard to explain that to executives sometimes though.

Score: 0

By moordrake

edited Mar 13, 2008 - 6:56 PM

Im taking the Certified Ethical Hackers course. One of the first things I learned is if you want to cover your tracks is to proxy thru the soft underbelly of any given .edu. Colleges are notorious for lax IT security, and the bad people know it.

Score: 0

By Paul Skinner

posted Mar 13, 2008 - 7:25 PM

I know there is a flaw in my old Uni's payment system whereby I can retrieve bank details without the need to log in.

I just can't be bothered to let them know about it.