Hackers access Kirkwood data

By Sarah Binder
CEDAR RAPIDS—Among the millions of networks of networks that make up the Internet, anyone is vulnerable.

“We would not have expected to be on the radar for an international hacking group; but we realized everyone is on that radar,” said Kristie Fisher, Kirkwood Community College’s vice president of student services.

Last month, hackers using an international IP (Internet Protocol) address accessed personal information about people who applied to Kirkwood between February 2005 and March 13. More than 125,000 records were potentially impacted, Ms. Fisher said.

It is unknown whether the hackers actually downloaded any information, or if the data vulnerability was limited to identity theft. The application information included names, birthdates, race, contact information and Social Security numbers. No financial or academic data was stored in the system.

Kirkwood’s information technology employees noticed suspicious activity on the evening of March 13 and deactivated the entire Kirkwood website within minutes, Ms. Fisher said.

Once they confirmed the activity was limited to the online-course application portal, the remainder of the website was restored. The application portal remained offline until it was rebuilt and tested for increased security. The portal was put back online April 4.

Meanwhile, the college created a media alert and sent out letters to students and applicants whose data was stored in the system, offering a year’s worth of free services, including identity-theft insurance, through Kroll Advisory Solutions, a forensic analysis, digital investigation and risk mitigation services company.

Kirkwood Community College was required to notify students and applicants by sending letters. But the school decided to alert the media for greater transparency and offer services to those impacted, to help them monitor their information, Ms. Fisher said.

Most of the questions the college has received from students, Ms. Fisher said, are whether the letters were legitimate and how to proceed. While some students have been  disappointed and upset, others reported they have been hacked before and will not use the  free insurance because they already closely monitor their online information.

“For the most part, students and applicants have been very understanding,” Ms. Fisher said.

The FBI is investigating the hack, but when dealing with international cyber intrusion, it can take years to solve a case, according to Sandy Breault, a FBI spokesperson located in Omaha.

“Criminal computer intrusion investigations start with the report of an incident and vary greatly in nature, progression and timeline. Enterprise-level cyber crime intrusions may be complex and multi-national in nature and can take several years to reach prosecution,” Ms. Breault stated in an email interview. “The FBI is involved in cyber-crime computer intrusion incidents that violate U.S. federal law and meet thresholds for criminal prosecution as determined by the U.S. Attorney’s Offices. The FBI focuses cyber resources on enterprise-level cyber crime organizations and national security matters that  potentially have the greatest negative impact on the U.S.”

Due to the ongoing investigation, Ms. Breault could not comment on the Kirkwood case, but noted hacks and security issues are “inherent risks to using the Internet.”

At Iowa State University, the Information Assurance Center (IAC) researches cyber-security issues and offers courses for academics and business professionals, including an online master’s degree program.

“In essence, it’s a crime of opportunity,” said Doug Jacobson, IAC’s chair. “They (hackers) are constantly out there looking for something they can break in to.”

Last fall, the IAC opened the Information Systems Security Laboratory (ISSL), which offers outreach and services to the business community. The ISSL provides trainings for IT staff and general employees, on-site security education programs, product testing and security regulation compliance assistance.

Traditionally, businesses that manage a lot of sensitive information or face government regulation have been most concerned with cyber security, Mr. Jacobson said. However, businesses of all sizes can fall prey to the “crime of opportunity,” he said.

“Security is a tough game; the defenders have to be perfect, and the hackers only have to be right once,” he said.

A major focus of research at the IAC is the rapidly growing  number of connected machines, Mr. Jacobson said. It has been predicted that the number of devices  connected to the Internet will surpass the global population by the end of this year.

“More and more of our physical world is being controlled on the Internet. That’s kind of a scary thing,” he said.

For a small businesses concerned with cyber security, Mr. Jacobson recommended first checking with its Internet service provider. Many ISPs offer security services, and since the ISP already controls the flow of information to the business, it is a natural place to start, he said.

Another concern for businesses, he said, is making sure employees on all levels are technologically literate. In some cases, having a dedicated IT staff can actually lure employees into a false sense of security, he said. However, with the many types of cyber threats that exist online, he said it is important for all employees to be vigilant.

“The attacks are getting so personal. People are at risk at home, and they’re at risk at work. We need to get people more security literate,” he said.

At Kirkwood, Ms. Fisher said she was just thankful the IT staffers were able to respond quickly. She was proud of the organizational structure which allowed those employees to take action within minutes, she said.

“We are really looking at how do we adapt and change our security going forward,” she said. “Security, probably every day, needs to be updated.”