Personal Data at Risk in Hack

Last month’s hack of a Graduate School of Arts and Sciences (GSAS) Web server may have compromised 10,000 sets of personal information from applicants and students, including 6,600 Social Security numbers and 500 Harvard ID numbers, the University said yesterday.

According to the University’s Chief Information Officer Daniel D. Moriarty, when Harvard realized after a preliminary scan of the disseminated information that “the same methods that the hacker used could have exposed other data,” they began cataloguing the rest of the server’s contents.

“Regrettably, that’s when we found this sensitive information,” he said. “Those initial scans did not find any information.”

Harvard began notifying those who may be affected today, after an investigation determined that the University could no longer stand by its initial conclusion that no personal information had been accessed and disseminated.

Officials said they had been unable to determine if any information had been compromised, and so had decided to notify everyone who was potentially affected and give access to identity theft services free of charge.

“We’re not going to be able to rule out that the individuals may have gotten access to this other information,” Moriarty said.

“We’ve basically decided to proceed as a conservative measure with notifying the individuals who have been impacted and lining up the [identity theft] services for those individuals.”

The University has contracted the security firm Kroll Inc. to offer identity protection services, including credit reports and setting up fraud alerts.

The hacker made a portion of the server’s contents available for download through a popular BitTorrent peer-to-peer file sharing site, “The Pirate Bay,” where users can easily obtain large files.

The data made available through that site contained no personal information, Moriarty said, but the hacker would have had access to all the information on the server.

Moriarty added that the server’s security had been strengthened to guard against similar attacks, but declined to elaborate on specific improvements.

“All known issues were addressed and patched and then the system was brought online,” he said. “Commenting on details would obviously weaken the University’s security.”

Moriarty said that he ”wouldn’t be comfortable putting a time-frame” on the ongoing investigation into the incident.

“There’s a lot of additional analysis we can do,” he said, “but it’s going to take time.”

—Staff writer Clifford M. Marks can be reached at cmarks@fas.harvard.edu.