Boston.com / Business / Technology / Tufts warns alumni on breach: “Tufts warns alumni on breach
Tufts warns alumni on breach
Computer attack exposed names, numbers to theft
By Hiawatha Bray, Globe Staff | April 12, 2005
For the second time in a month, a Boston-area college is warning thousands of alumni that their personal information may have been stolen from a computer system used for fund-raising.
Tufts University last week began sending letters to 106,000 alumni, warning of ”abnormal activity” on a computer that contained names, addresses, phone numbers, and, in some cases, Social Security and credit card numbers.
”We have no evidence that information was retrieved or misused,” the letter said. But it urged alumni to notify their banks and check their credit reports for signs of illicit activity. The school also set up a website, http://www.tufts.edu/security, to provide alumni with more detailed information.
Boston College took similar steps in mid-March, after a computer with files on 120,000 alumni was breached. Both Boston College and Tufts said that the affected computers were operated by an outside company that manages alumni fund-raising activities. RuffaloCODY, a Cedar Rapids, Iowa, fund-raising firm, handles alumni fund-raising for Tufts. In an e-mail, Boston College spokesman Jack Dunn wouldn’t identify the school’s fund-raising firm ”for legal reasons.” But RuffaloCODY has posted an advertisement on the Internet seeking Boston College students to work on the school’s alumni fund-raising campaign.
Mark Rasch, an attorney who formerly headed the US Justice Department’s computer crime unit, said that if computer criminals have identified a weakness in RuffaloCODY’s security practices, they could use the same method to attack other machines run by the company.
”Once a vulnerability is discovered in one of those processes,” said Rasch, ”then everybody who uses that processor or that third party is affected.”
Rasch said that the information technology staff at Tufts should join forces with Boston College to determine whether an attacker is singling out RuffaloCODY, or college alumni databases in general. By comparing data logs from both computers, they might spot patterns that could help prevent future attacks.
”You pick up the phone, call the IT security director at Boston College, and say, ‘Show us your logs, we’ll show you ours,’ ” Rasch said.
RuffaloCODY officials did not respond to repeated telephone calls. The company provides fund-raising services for many major nonprofit institutions, including Boston’s Museum of Science, Iowa Public Television, Iowa State University, and the University of Georgia.
Colleges and businesses routinely hire outside firms to provide specialized computing services. But these outside contractors can cause problems for clients if their computers are insecure. For instance, ApplyYourself Inc. of Fairfax, Va., manages admissions information for several of the nation’s top schools, including Harvard Business School and the Sloan School of Management at the Massachusetts Institute of Technology. When over 200 students took advantage of a security breach last month to find out whether they’d been admitted, it forced the schools into an uncomfortable debate over whether to reject the applicants for unethical conduct. Some, like Harvard, rejected them; others, like Dartmouth’s Tuck School of Business, said it would decide on a case-by-case basis.
Betsey Jay, Tufts’s director of advancement communications and donor relations, said the problem at her school was detected late last fall, when campus computer managers noticed unusually large amounts of data moving through the machine.
”It was high volume, indicating distribution of large files,” said Jay. ”Our initial indications were that somebody may have used the computer as a distribution point for off-loading entertainment media files.”
For example, someone could have used the computer as part of a ”darknet,” a clandestine private network whose members swap illegally copied music and video files. Jay said there was no evidence that the computer break-in was an ”inside job” by a student, faculty member, or employee. Also, no data about current students or employees was exposed to the attackers.
Computer administrators quickly plugged the security breach.
”There’s been absolutely nothing untoward since Dec. 19,” Jay said. At the time, Tufts officials saw no reason to warn alumni, as the school found no evidence that any personal data had been accessed. But then came news of the alumni computer breach at Boston College, as well as thefts of personal information at California State University, the University of California at Berkeley, Northwestern University, and the commercial database vendor ChoicePoint Inc.
The spate of scary headlines made Tufts officials rethink their silence.
”We started seeing these across the country,” said Jay. ”As we gathered more information on this, we decided it would be better to be super cautious.” Jay estimated that the mailing would cost Tufts about $41,000. ”We certainly think that it’s worth it,” she said.
Hiawatha Bray can be reached at email@example.com.