College official's e-mail is hijacked
Toolbox
By DARREN M. ALLEN Vermont Press Bureau - Published: March 30, 2006
MONTPELIER — A hacker used the e-mail account of a Lyndon State College administrator to send a protest message across campus last week.
The message was in response to Vermont State Colleges waiting three weeks to tell its computer users about the potential exposure of personal information for up to 20,000 students, faculty and staff.
The e-mail said it was "brought to you by the concerned masses who would like to ensure a proper solution to the recent security breach," according to Bob Whittaker, the dean of institutional advancement at Lyndon.
The e-mail was sent campuswide and was purported to be from Stephen C. Allen, the administrator of the college's computer system.
Lyndon officials immediately determined that no personally identifiable information had been accessed, Whitaker said, and they contacted law enforcement agencies and are investigating. They believe that the person who sent the e-mail improperly gained access to Allen's password.
"We are taking this very seriously and are taking every measure to identify the breach in security," Whittaker said. "There is every indication that no information was accessed that would cause us to feel a need to fear that personal information has been compromised."
Last week, administrators at the five-college system were under fire for taking three weeks to notify students, faculty, alumni and staff about the theft in Montreal on Feb. 28 of a laptop belonging to an information technology official.
That laptop could have contained information — including payroll, social security and other sensitive data — on as many as 20,000 people associated with the colleges.
Although administrators said they shut down access to the system's main computer networks from the stolen laptop hours after it was reported missing, they still have no idea how much sensitive information was stored on the computer.
The latest incident at Lyndon underscores just how upset faculty and students are with the three-week delay in notification. Armed with social security numbers and payroll data, identity thieves can wreck a person's credit and deplete their bank accounts.
The faculty union has hired an attorney to look into the matter and to see whether the college violated any part of its collective bargaining agreement with its professors by failing to tell people immediately that their personal information could be viewed by others.
The bogus e-mail was not malicious in tone.
"Hello, and good-day. My name is Identity Theft Victim, Stephen C. Allen — LSC LAN/System Administrator," the missive, sent to all Lyndon computer users, said. "This email is being sent because I chose not to change my default e-mail password, allowing my account to be hijacked through simple methods. Recently 20,000+ VSC student, alumni, faculty and staff identities were compromised through the theft of a stolen VSC laptop."
Administrators at both Lyndon and system headquarters in Waterbury reiterated Wednesday their belief that no personal data has been divulged or accessed.
"We have no evidence that any of this data has been accessed," said Karrin Wilks, the system's vice president for academic and strategic planning. "We have provided updates for people to protect their information."
The latest incident is the third in less than a year involving the potential exposure of information on thousands of people. The stolen laptop is considered the most serious potential breach. It came months after the Social Security numbers of students and alumni of the Vermont Technical College were posted on that school's Web site by mistake.
Contact Darren Allen at darren.allen@rutlandherald.com
35