University of Wisconsin hacked: 75,000 social security numbers, student names exposed

University of Wisconsin hacked: 75,000 social security numbers, student names exposed

Summary: The University of Wisconsin is investigating a breach which may have exposed 75,000 social security numbers of students and staff.


The University of Wisconsin's Milwaukee campus has been subject to a malware attack, which has exposed names and social security numbers of students -- past and present -- and staff alike.

Malware was discovered on a database server, which contained 75,000 social security numbers, and was shut down immediately after the malware was found.

While law enforcement and school investigators have yet to find evidence that data was stolen, the university sent out a letter to those who may have been affected by the breach.

In a statement, the vice-chancellor -- the university boss -- believes that the motive was theft of research project data; data and research programmes the university itself excels in. Staff found back-door malware, which can scan and view documents on a server, which is used by many of the university's departments to store crucial research.

One of the concerns is that the malware could have had access to other servers, indicating the likelihood of a wider hack.

The malware is thought to have been installed on May 25th, and local and federal law enforcement were called in to investigate. On June 30th, however, it was discovered that the database containing social security numbers was compromised, also.

University officials, via a notice on their website, warn students to monitor their financial information and credit card statements to be on the safe side.

This news comes only days after it was discovered that users' data, including social security numbers -- predictable in nature -- can be taken from sites like Facebook and other publicly government sites.

While data in this case may not have been downloaded -- only exposed to hackers by malware -- it once again calls questions on the data that universities have on its students.

It is, however, another reminder to users of Facebook and other social networking sites not to make birthday and date of birth data available on the web. While though it may be benign on in singular form, hacks like these, which include your full name, make you even more vulnerable to identity theft and bank account hacks more likely.

Related content:

Topics: Banking, Enterprise Software, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Data encryption

    SSN must be entrypted in ALL databases. Documentation saved in cloud should be encrypted, or at least un-readable.<br><br>Even my own application is able to do that. What are these "enterprises" thinking?
  • RE: University of Wisconsin hacked: 75,000 social security numbers, student names exposed

    There are a couple of questions raised about this article.
    1. Towards the bottom: How does your specifics, SSN and FB, confuse the reader? I mean the generic ?users? data? and ?government sites? get overlooked. 1 might think that you are implying that you can get someone?s SSN from FB and not by gathering pet names, mom?s maiden name, hometown ? and then going to a gov?t site to plug in the answers to security questions.
    2. The Vice-chancellor is not the Boss. More a Vice-Boss. The Boss would be the Chancellor. The Vice-Chancellor would be more likely to shoot his friend in the face while hunting quail and issue statements about incidents.
    3. Malware on a database server is kind of strange, but what about the 35 PCs that belong to Admissions, HR, Employee health, Network Security? that connect to this DB server that have 10 times more malware on them. Maybe not all of them, but in my university experience, at least 20% do.
    4. The departmental storage of crucial research? sounds more to me like a biomedical facility looking for a cure for cancer and not one that would have SSNs on it. Would the Math dept be keeping a copy of the Pythagorean Theory or perhaps the English dept is coming up with new ways to conjugate a verb.
    The mixing of what is on a server is the main problem from what I have read here and experienced in RL. A big problem with that is SPACE and MONEY. 2 servers and maybe even 2 rooms is not cost efficient. But then, neither is paying for an investigation.
    Research, in a university environment, is conducted by students. Chinese Nationals, Taliban, Timmy from across the street from your mother, Anonymous? pretty much anyone can be a researcher. If this was accidental, then you can add everyone from network admins plugging into the server with a usb key, to the secretary who emails out the findings.
    • RE: University of Wisconsin hacked: 75,000 social security numbers, student names exposed

      @dbisse@... To clarify -- the vice-chancellor is the boss of a university. Other names include rector, provost, president, etc. In certain universities, there is a chancellor -- seemingly above that of the vice-chancellor, but usually an academic which acts as a ceremonial lead.

      In political terms, put it like this. Vice chancellor = prime minister. Chancellor = monarch. It's the prime minister who really runs the show.

      Hope this helps.
  • RE: University of Wisconsin hacked: 75,000 social security numbers, student names exposed

    The headline outruns the story. I guess using the word "may" was too temperate.
  • duh

    Good thing they don't use cloud computing.
  • RE: University of Wisconsin hacked: 75,000 social security numbers, student names exposed

    I really don't understand why all the saved data is not encrypted. Aren't university people supposed to be smart?
  • RE: University of Wisconsin hacked: 75,000 social security numbers, student names exposed

    Just to clarify, the Vice Chancellor at UWM is not the boss. There is a Chancellor, there is a Provost, and then there are four Vice Chancellors. Most universities in the U.S. have a similar structure.
  • UW-Milwaukee is NOT the &quot;University of Wisconsin&quot;

    I'm not speaking as an official representative, but...

    You may or may not be familiar with the structure of the University of Wisconsin System, but UW-Milwaukee is not the "University of Wisconsin". It is the "University of Wisconsin-Milwaukee".

    The only campus which is generally allowed to use or is referred to as the "University of Wisconsin" is UW System's flagship campus, the University of Wisconsin-Madison.

    UW System is comprised of 26 institutions, all of which are decentralized and do not interact with each other much in the IT realm, save for some system-wide projects.

    UW-Madison will suffer if you generally refer to a data breach at UW-Milwaukee as a breach of the "University of Wisconsin" ? this may seem like semantics but it's not.