[ISN] Hacker hits Duke system

InfoSec News isn at c4i.org
Sat Jun 4 14:23:19 EDT 2005


Staff Writer
Jun 4, 2005 

A hacker broke into the Duke University Medical Center computer system
last week, stealing thousands of passwords and fragments of Social
Security numbers, Duke officials said Friday.

Duke is notifying about 14,000 people, roughly 10,000 of whom are
medical center employees, that their information may have been
compromised and is advising people to change passwords if they use the
same one for multiple purposes.

Other individuals affected include alumni of the Duke University
School of Medicine, physicians and other clinicians who registered
online for some types of continuing medical education at Duke and
others who accessed certain Web pages maintained by the medical

The incident is the latest in a series of security breaches nationally
at banks and other major organizations that store personal
information. This is one of the largest yet to hit the Triangle.

Computer security failures have increased concern about identity theft
and prompted some states to adopt laws that require speedy disclosure
to people whose private information may be compromised. The General
Assembly is considering an identity-theft protection bill that would
mandate such notification.

None of the Duke computer databases broken into contained personal
financial data or patient information, according to the medical
center. The hacker did grab about 5,500 computer passwords and the
users' first and last names. In addition, the hacker stole about 9,000
partial Social Security numbers -- either the last four digits or the
last six digits.

Duke sites affected include training Web pages, which clinical
research staff might have used to brush up on safety protocols,
educational sites that clinicians participating in Web conferences
would have signed into and internal pages employees might have visited
to sign up as a volunteer for a Duke event or alumni function.

"These weren't our core systems," said Asif Ahmad, the medical
center's chief information officer. "These were more peripheral

Determined identity thieves can wreak havoc with just a name and a
password, said Mark Durrett, director of product management and
marketing for Covelight Systems, a Cary company that makes privacy
protection and fraud management software. That's because most people,
for convenience, use the same passwords for many different purposes,
from bank accounts to e-commerce Web sites.

"In a perfect world, we'd all have different user names and passwords
for everything," Durrett said. "But the typical person will have one
or two passwords they use for everything in their life."

The Duke security breach occurred May 26 sometime between 1 a.m. and 4
a.m. A Duke computer system administrator detected the unauthorized
user at about 4:30 p.m. the same day while conducting a routine check
of logs that record activity on medical school Web sites. Such checks
are made daily to watch for potential security breaches, Ahmad said.

Once the unauthorized access was detected, Duke immediately shut down
the Web pages affected. Then administrators cross-checked the names of
people whose information was stolen with the names of employees and
clinicians who have access to core computer systems, such as patients
registration and scheduling, patient billing, accounts receivables and
human resources. People on both lists had their passwords reset, Ahmad

"It was not a lot of people -- it was literally in the teens," he

Ahmad said the hacker apparently found a vulnerability in the software
used to create the affected Web pages and exploited it to gain access
to layers of the pages only administrators are supposed to see. Ahmad
said the problem has since been fixed and the Web pages are up and
running again.

More information about the ISN mailing list