Two weeks after discovering that its website had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs. "The hackers were using our Web server as a host for their own Web site," he said.
Pages on the university's site contained ads for diamond rings, Viagra and Cialis. After noticing the ads on 9 April, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.
The university believes that the hackers came from outside the US, and it is working with Connecticut's attorney general's office to investigate, Dilger said.
The file on the web server contained names, addresses and Social Security numbers of students who had registered to graduate from the school, dating back to 2002.
Students affected by the breach are being offered identity protection services for two years.
There has been a raft of web-based attacks lately. On Tuesday, security vendor Websense reported that thousands of websites - including sites hosted by the United Nations and UK government - had been compromised in the latest round of so-called "mass injection" attacks. This is the second widespread Web attack reported this month by Websense.
The university's attack does not appear to be connected with these widespread attacks, however. In those hacks, attackers had been using the Web sites to attack other computers and infect them with malware. With Southern Connecticut, the motive appears to have been tied to spam.