An anonymous cracker has downloaded copies of three databases from Harvard University containing information on around ten thousand applicants to the Graduate School of Arts and Sciences from 2007, and has made the files available to all via BitTorrent.
The databases – joomla.sql, contacts.sql, and hgs.sql – contain information including Social Security numbers, names, dates of birth, and addresses both real and electronic. The security breach occurred some time in February according to a press release
by the department concerned, but it is only since the cracker made the data available on a peer-to-peer network that the university has realised the full extent of the damage.
The person responsible for the breach – or at least the uploading of the data to BitTorrent – included a note with the 125MB archive claiming the attack was carried out “to demonstrate that persons like tgatton [server administrator] [...] they don't know how to secure a website.
Although the original reason for the attack may have been to prove a point, making the data available publicly changes things for the worse. Not every criminal who is capable of making use of the information included in the database is smart enough to be able to retrieve it from the improperly secured server, but the vast majority of them will be able to use a BitTorrent client.
Harvard University has written to all those affected apologising for the breach, and will provide credit monitoring and identity theft recovery services free of charge. The site affected has also been secured – at least against this particular exploit.
Do you think the cracker had a valid point to make about the security of the website, or did he cross the line when he uploaded the data unmunged to BitTorrent? Share your thoughts over in the forums