University of Delaware officials have identified the cause of the cyber security breach that resulted in the online theft of confidential information from 72,000 current and former employees.
Karl Hassler, associate director of IT Network Systems and Services at the University of Delaware said the breach occurred within third-party software that the university had been using.
“It was a vulnerability of software we acquired from a vendor in the Java programming suite so that was zero-day vulnerability and the hackers exploited that,” explained Hassler.
Zero-day vulnerability means the software maker had “zero days” to identify and fix the problem before the hacker was able to find it.
He added that they are working with the FBI and have notified Delaware Attorney General Beau Biden’s office. They are also working with a private security forensics firm to identify the hackers.
“We’re getting daily updates and there isn’t anything new being revealed at this time,” he said.
Files containing personal information including names, addresses and social security numbers were taken on or around July 17. The university began notifying employees of the security breach earlier this week.
The university is offering three years of credit monitoring through Kroll Advisory Solutions to those affected.
Other schools on alert
Other higher education institutions in the state are monitoring their own cyber security closely and taking precautions.
“Wesley College takes the security of our information very seriously,” said Jody Sweeney, chief technology officer at Wesley College. “That security begins with physically securing our data network through the use of firewalls and physically isolating the student network from the production network. It also means ensuring that no hardware or software allows for any access to personal data of our employees or students across that divide.”
Delaware State University also said it has safeguards in place to protect information.
“Just as the cyber breach that took place at the University of Delaware demonstrates, there are no absolutes when it comes to preventing criminal database intrusion,” said DSU Spokesman Carlos Holmes. “Nevertheless, Delaware State University and its IT professionals utilize a portfolio of activities and procedures that are designed to prevent such breaches of cyber security. It should be well understood that what happened to UD could happen to any institution. Because of that, we make it a top priority to safeguard DSU’s databases and to maintain security of information and systems.”
Mark Hufe, director of the Center for Cyber Security at Wilmington University said despite even some of the best efforts, hacking still happens.
“It’s so hard to defend against every possible attack factor,” he said. “Hackers go after low hanging fruit; they look for the easiest way in. As soon as you have vulnerability and you shore up that vulnerability, they don’t bother with that one anymore, they look for another.”
Once one account is cracked, Hufe said hackers can quickly piece together information to break in to other protected accounts.
“If someone gets your user name and password for one account, chances are, it’s available for another too,” he said. “The more information they know collectively from your accounts, they aggregate that together and sooner or later they can get into your bank account.”
Protecting yourself online
Along with credit monitoring, there are additional steps online users can take to prevent being a victim of a cyber security hack.
Hufe said hackers try to guess user name and password combinations so having a strong password is vital.
“[It needs to be] at least eight characters long if not longer, with at least one special character, one number, one upper case and one lower case letter,” said Hufe.
He also advises staying current on software updates.
“Do all of your software updates,” he said. “Those updates come out because people find vulnerabilities.”
He also says to look for abnormal wording in emails and never open a suspicious attachment.