In my ongoing coverage of George Mason University’s patent mismanagement, I have another stunning show of competence and reliability to report. GMU just got hacked; GMU just got hacked bad.
The Washington Post reports that online intruders accessed the information of more than 32,000 students, faculty, and staff at the school by hacking the school identity card system (read the article, free registration may be required). The information included in those accounts could easily be used for identity fraud, and GMU officials are encouraging members of the school community to contact the major credit bureaus and flag their accounts.
Not surprisingly, “Walsch said the data were housed on computers running Microsoft Windows systems.” GMU’s is the only IT department I’ve ever dealt with that actually prefers Windows to secure, reliable competitors (like Red Hat Linux, Sun Solaris, or Mac OS X if you want corporate support). I specifically warned them in a letter after a spate of network problems in 2001 that it was in their best interest to ditch the buggy Microsoft systems. They cannot say they were not warned; I did some of the warning!
While GMU seems to only mention the current “Mason community,” I still have an account at the school (as do many former students). Thus, I’m at risk too. How do they plan to notify me? They can bulk-email the current 32,000 students, faculty, and staff; what about us former students? And does the school plan to reimburse me for any financial and legal costs that may be incurred if somebody does, indeed, commit identity fraud with information loosed by Mason’s insecure servers?
I’m guessing a) they won’t bother to notify former students, and b) they’ll respond to any identity theft with a ‘your problem, not ours’ kind of reaction.
Well it is, in many ways, ‘our problem’ anyway. We have to watch our accounts closer. We run the risk of having fraudulent activity affect our credit rating. We have to go through the trouble of reporting this to the credit agencies. Blah blah blah.
Yesterday’s CNET article (where I first learned about this) ironically pointed out that GMU is “home to the Information Security Institute, the Lab for Information Security Technology and the Center for Secure Information Systems, which has been designated a ‘Center of Academic Excellence’ by the U.S. National Security Agency.” It’s good to know that the constant tuition increases, gobs of tax money, and hundreds of federal grants are going to a good cause: a paragon of information security study that cannot even secure its own systems.
(Updated from yesterday with a more reliable source and new information)