Identity Finder, a data security company, confirmed a large breach at over 50 of the nation’s top universities earlier this month, including NYU, according to a press release.
A hacker group by the name of Team Ghost Shell claims responsibility for the attack, and said they targeted 100 universities worldwide, taking over 120,000 student, faculty and staff accounts.
The account information gathered was dumped onto websites like Pastebin. Identity Finder could only confirm 40,000 exposed accounts but said the hackers could have had access to many more.
Among the stolen information, Identity Finder was able to confirm tens of thousands of email addresses, thousands of usernames and passwords, and one bank account number. They stated that no Social Security or credit card numbers were taken.
Philip Lentz, NYU Director of Public Affairs, said that of the information that was taken, only two local databases were from NYU servers.
“No files were lost,” Lentz said. “Rather, the local databases were posted on the Pastebin website. The university’s Information Technology Services unit is now working with the administrators of two local databases to better secure their files.”
He confirmed that no sensitive personal information was comprised.
Aaron Titus, a representative for Identity Finder, says most universities use a computer language used to make queries into databases for storing student, faculty and staff information. The hackers, he said, used a basic SQL injection, a technique often used to attack sites, to access this information.
“The hacks were not so much sophisticated as they were persistent,” said Titus, who stated that the hackers must have spent months scanning various universities’ databases for weaknesses.
Nasir Memon, the director of the Information Systems and Internet Security laboratory at NYU-Poly, commented on Internet security difficulties universities face, mainly because so many different people access the university network on many different machines.
“Universities like to have open environments. This makes things difficult,” Memon said. “You can’t really lock the university network down.”
Titus reflected Memon’s sentiments by saying that many universities have individual departments that are in charge of securing their own databases and may not have tightly regulated security.
“These tertiary systems are a risk because many are not under high security,” Titus said.
Titus also said information security is ultimately up to the university.
“It is hard for students to protect themselves,” he said. “Once you give your information to a third party, you don’t control it.”
Nakul Prajapati, a sophomore at the University of Michigan, another targeted school, was worried that her school was not prioritizing security enough.
“I understand it’s a public university so accessible information is a priority,” she said. “But students are paying for a sense of security on campus, and I think that precedent should carry over to the Internet too.”
Steinhardt sophomore Saudy Melo noted that the security breach may be received differently to students considering the generation’s digital prowess.
“Our generation is a little less concerned about what losing your sensitive information really means,” Melo said. “I expect my sensitive information to be secure. I expect it to not leave the university’s database, just like a bank, or any other institution I would give my social security number, too.”
A version of this article appeared in the Tuesday, Oct. 23 print edition. Kevin Burns is a staff writer. Email him at [email protected].