Viruses infect Admissions server

An Office of Admissions server containing personal information of current, prospective and former undergraduate students was infected with a number of viruses on Nov. 11.

A security report on Nov. 16 showed “suspicious activity” on the computer, which was then put under investigation by members of Information Technology Services.

Malware infected the computer, which is used as a server for admissions that helps process electronic admissions applications. This malware could have allowed a person outside the university to access the server from Nov. 11 until it was discovered on Nov. 16. It was not confirmed whether any files containing student information were accessed.

The electronic application data of about 9,000 individuals who applied to Eastern between March 2000 and November 2009 were located on the computer, said Adam Dodge, Eastern’s information technology security officer.

“It is important to note that not all individuals that applied during this period were affected, only a small percent,” he said.

The information in the server includes names, Social Security numbers, dates of birth, mailing addresses and other contact information, Dodge said.

“This does create a small chance of identity theft, which is why the university has contracted (with Experian) to provide these individuals with a free one-year membership of credit monitoring and ID theft protection,” he said.

A notification released Friday on Eastern’s university newsletter states that Eastern has signed a contract with Experian, a credit-monitoring company. Those who may be potentially impacted are eligible to receive a free one-year membership in Triple Alert from ConsumerInfo.com, where one can receive credit reports. Vicki Woodard, coordinator of public information, was unable to comment on the cost of the contract Sunday night.

Although the investigation began almost immediately, Dodge said many factors contributed to the nearly three weeks of delay in making the announcement. First, an in-depth investigation by Dodge’s office took about three days to complete. After that, the university worked to gather information of the individuals’ information on the server, collected and verified addresses, and contracted with Experian, Dodge said.

This was not a targeted attack against the university and there is no way of knowing who had control over the server yet, he said.

“Given that this incident involves computers in different countries, it becomes very difficult to trace down the individual that may have had access to the server,” Dodge said.

The university mailed the letters of notification to applicants potentially affected Thursday and Friday. The university wanted to wait until the letters were sent before making any announcement, Dodge said.

Students who applied to Eastern electronically and learned of the notice said the university should have responded sooner.

Ivan Morales, a senior elementary education major, said the university should have sent out an e-mail instead of using a section of its Web site to notify people.

“I’m upset the school failed to inform us properly,” Morales said. “It’s a shame they hide this information from us. They should have taken better steps to notify us.”

Bridget Mischke, a freshman math major, agreed and said she is nervous about possibly receiving a letter in the mail.

“It’s scary,” she said. “I don’t want anyone knowing my Social Security number.”

John Nolan, a freshman history major, said he thinks the university’s initiative is on the right track.

“I just hope they fix this problem,” he said. “It could affect a whole lot of people.”

In the case of similar problems in the future, Dodge said Eastern has started a full security review of campus servers.

“My office has developed additional reports that will help identify potential problems in the future,” he said. “In addition, ITS is working with departments on campus that have servers to review the configuration of these servers.”

The University Police Department is aiding the university in the investigation.

Eastern has set up a Web page and FAQ with more information. To visit it, follow this link: www.eiu.edu/notice.

Tyler Angelo can be reached at 581-7936

or DENeic@gmail.com.