Purdue informs former math students of computer security incident

August 16, 2011

WEST LAFAYETTE, Ind. - Purdue University is informing 7,093 former students who took mathematics courses, faculty and some others that an unauthorized user may have gained access to information about them. Those affected have been notified by personal letter.

The breach occurred on April 5, 2010. Purdue staff learned of the breach three days later and immediately took the server off line. Although the intruder left no evidence of seeking or accessing the files, there were files with personal information present - mainly older course records from 2000 through the summer session of 2005 - that had been placed on the computer in error.

Examination of the breach indicated its characteristics were not consistent with an attack designed to gather data from the system, but rather an attempt to use the system to launch attacks against other servers.

However, Purdue staff conducted an in-depth and time-intensive forensic examination to determine what types of data might have been exposed during the breach. The scan of the system determined there were 6.6 million nine-digit numbers found in files created by 286 different users. Establishing which numbers could be actual Social Security numbers required individual examinations of the context of each number with the file owners and took six months to accomplish. That left 64,268 numbers that could still have been Social Security numbers, and an additional four months was needed to refine the scanning techniques, employ additional forensics and determine the actual number of Social Security numbers was 7,093.

The team then matched the numbers to their owners and informed the Indiana Attorney General's office in late June 2011. The math department was then able to notify the owners of the numbers.

"Through our investigation, we found no evidence that the unauthorized user attempted to find or read any files with personal information in our system, but felt informing people who may have been affected was a necessary precaution," said Laszlo Lempert, head of the Department of Mathematics. "We regret the breach occurred, and we've taken extensive measures to prevent this from happening again."

In addition to former students, a small number of faculty, family members and contractors also have been informed that they were potentially affected. The notification letter provides a toll-free phone number for inquiries at 866-520-0492.

Under university policy, Social Security numbers are no longer used except where required by law. Instead, all students, alumni, faculty and staff, and others whose records are kept for business reasons are assigned a Purdue identification number.


The following steps can help guard against identity theft:

* Carefully watch financial statements and credit report statements to check for entries that you do not recognize or any new accounts opened in your name.

* Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission recommends that you check your reports periodically. Identity theft information sometimes is held for use later or is shared among a group of thieves for use at different times.

* Check your credit reports periodically, alternating among the three credit agencies every four months.

* Contact one of the three credit reporting agencies to put a fraud alert on your file. (When you request this from one agency, the other two also will put an alert on your file.) All three credit-reporting agencies can be accessed online at http://www.annualcreditreport.com. To request your credit report by phone, call 877-322-8228; your reports will be mailed to you.

* If you think you have been the victim of fraud or identity theft, contact the Federal Trade Commission to file a complaint at http://www.ftc.gov/bcp/edu/microsites/idtheft/  or call 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible by law enforcement agencies for their investigations. The FTC also will advise you on additional steps to take in the event your information is being used illegally.

* Information about how to protect your identity and prevent identity loss is available from Purdue at http://www.purdue.edu/securePurdue/theft.cfm

Contact: Chris Sigurdson, 765-496-2644, sig@purdue.edu