A server at the University of Florida's College of Dentistry was exploited remotely by an attacker compromising the personal information of more than 336,000 patients.
In an announcement last week, the university said it discovered rogue software on a server Oct. 3 during a server upgrade. IT staff discovered that a hacker used vulnerability scanning software remotely to install software on the server.
The server contained unencrypted information on thousands of patients who received care at the UF College of Dentistry between 1990 and 2008. The personal information included a combination of names, dates of birth, addresses, Social Security numbers and billing codes for patients, the university said.
"It's unfortunate that, like many large institutions, we were targeted," said Teresa Dolan, dean of the UF College of Dentistry, in a statement. "We work hard to continually fine-tune our security protections, and maintaining our patients' trust and confidence is of utmost importance."
The university also said it was struggling to notify all of the patients whose information was compromised. It identified more than 8,000 patients who had data stored on the server, but no current mailing address connected to them.
In the UF privacy breach announcement, officials said the compromise took place despite recent security improvements. It said the dental school "added and strengthened firewalls and intrusion detection systems, encrypted the data flows containing sensitive information, and increased vigilance in identifying threats and securing servers."
The compromised database server was probably not Internet facing, said Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting Inc. Instead, a hacker likely used a scanner to find a vulnerable machine, get a foothold inside the network and eventually compromise the database server containing the dental school records.
"It takes a lot of work to successfully defend against that kind of attack," Nebel said.
Core Security Technologies Inc. makes a vulnerability testing tool, Core Impact, which automates the same moves that a savvy hacker would take to gain access to a system. The tool scans for vulnerabilities and when it finds a flaw it pushes a software agent into the affected server and acts as a Trojan, attempting to download more software onto the compromised server.
Tools like Core Impact leave a unique signature in log files analyzed by the IT team after the breach discovery, Nebel said.
"Universities probably represent a training ground for hackers," Nebel said. "Most of time you'll find student computers and not much [of anything] interesting there, but if you get into the right systems, there's financial records and other valuable information."
In two separate incidents, the University of Florida announced the data breach of 1,900 patients of its College of Medicine. The breach resulted in the dismissal of a plastic surgeon for storing unsecured patient records. In June, the university announced more than 11,000 current and former students had their sensitive information put at risk when it was posted online between 2003 and 2005.
Colleges and universities have been the target of hackers this year. So far, more than 50 data breaches have occurred at colleges and universities in 2008.
By Robert Westervelt