Security Breach Affects Nearly 30,000 Iowa State Students

There are currently about 30,000 students that have spent this week wishing that they chose a different university. These are the students on file at Iowa State University. These are also the victims of a major security breach.


Photo: wavebreakmedia / Shutterstock

The Problem at Hand

The IT staff at Iowa State identified a security breach in five different departmental servers. Within these servers, the information of at least 29,780 different current students and alumni of Iowa State was held. The information on file included either or both the individual’s social security number (SSN) and university ID number. Obviously, the potential for exploitation of these leaked SSN is the biggest concern.

Students Past and Present At Risk

Anyone that was enrolled at Iowa State University between 1995 and 2012 should consider themselves at risk of this security breach. These are the years of information that were kept on file within the affected servers.

How This All Happened

Interestingly enough, the student’s information was not the main goal. The hacker, or group of hackers, managed to get into the school’s servers. From there, the attacker directed the school’s computing power at mining bitcoins.

While it is not certain, it is possible that the point of entry was through an exploit in the server creator, Synology. This company has mentioned similar attacks where their servers were compromised in the past for the purpose of mining bitcoins.

Should You Be Worried?

After review, the IT staff at Iowa State University determined that there is no reason to believe that any of the student’s sensitive data was actually accessed. Rather, the concern simply comes from the fact that this information was exposed, which means that there is no way to definitively say that it was not seen by anyone and that it will not be used in an illicit way.

What Students Need to Do

If you are a student at Iowa State University right now, you are probably already in the loop. However, most of the affected students are no longer enrolled. If you are someone that went to school at Iowa State between 1995 and 2012, you will most likely hear from the school within the week. They stated that they would be contacting all students to notify them if they have been affected by this security breach.

The school is working to keep the victims’ information as safe and un-damaged as possible. As such, they have hired AllClear to provide identity protection services to those that have had their information compromised.

Additionally, the school is investing in a year’s subscription for a credit monitoring program for the affected students. This may stretch on for a second year as well.

Going forward, there is no reason to believe that any of your information will be at risk. Iowa State University has already completed the destruction of the affected servers. Identical types of these servers have also been pulled from the Internet. They will return after a hacking prevention program is installed within them.

Other Bitcoin Mining Hacks

This is not the first time that an attacker compromised a server for the purpose of mining bitcoins with the available computing power. The first big story came back in the spring of 2013 when it was announced that a rogue employee at E-Sports Entertainment Association forced a bitcoin mining Trojan into one of their updates. It was believed that upwards of 14,000 computers ended up installing this update and being affected as a result.

Interestingly enough, people have repeatedly hacked servers mining bitcoins for many years now. The thing is that most of these cases do not make it to the mainstream media. This story did, obviously, because it was a state university that was affected. There are still many other servers that are or were compromised with the same intent.

Closing Comments

While it may not be as worrisome as having a server hacked to illegally use exposed data, the worry is definitely still there as none of the affected people can know for certain that they’re in the clear. Of course, given the nature of the crime, most people will also assume the worst in a case like this.

If a hacker is unethical by nature, it’s hard to believe that they will be partially ethical by not concerning themselves with people’s exposed information. After all, the value of the information of these near 30,000 victims alone is most likely worth more than the value of all the bitcoins mined as a result.

Still, it seems that the victims of the recent Iowa State University hacking may not be in as bad of a position as they would have thought. The school has been doing everything they can to make sure that everyone is still protected.

Their partnership with AllClear and their providing of credit monitoring services to the affected individuals definitely makes it seem that if worst comes to worst, any damage will be quickly combated.