Brandon University firewalls were no match for a brash computer hacker who infiltrated the system and gained access to sensitive information on one of the school’s internal servers recently.
After jail breaking the server sometime prior to Oct. 14, the hacker emailed the school to inform them that the server had been cracked.
On Thanksgiving Day, the hacker sent an email showing one of the documents that had been obtained from the server.
"We asked for proof and the person sent back what they had seen," BU president Deborah Poff said. "We asked what they saw because you don’t know if they are just making it up ... It was a very old application."
However, it wasn’t until four days after the evidence surfaced that students were briefed via email.
Students were kept in the dark as to what happened, many of them angry and confused that they couldn’t access the university’s website from an external location after it was shut down as part of a systematic sweep.
"We’re upset about it," Brandon University Students’ Union president Stephanie Bachewich said. "I wouldn’t want my personal information being viewed by someone else. This information is supposed to be protected and that is the university’s responsibility to have the appropriate services."
She questions why it took four days to release the statement.
"It’s alarming and we felt the students weren’t informed about what was going on," Bachewich said.
It’s also alarming that the student, whose application was used as proof of the hack, hasn’t been notified yet, something Poff said would be part of the next step in the process.
In her email to staff and students, Poff said a number of measures were immediately taken after the "computer system had been accessed by a person unauthorized to do so."
The actions included taking the website offline, removing access to servers that may be vulnerable, contacting the local police, contracting a private company to investigate and solve any security issues and contacting the provincial Ombudsman regarding privacy issues.
Poff is confident the breach is concentrated to one of the school’s 40 servers, but didn’t know how much information the hacker had access to.
"I don’t want to talk about the information that is on our servers," she said. "It’s a possibility (that the hacker saw other information). It’s not that we have any evidence (that other data was viewed), it’s that if the person saw one thing they might have saw something else."
They are also doing everything they can to track down the hacker —a process that is proving difficult.
"The issue is we may never know who this was because people can use false accounts or bounce their message from a country they don’t even live in," Poff said.
At the moment, the school is still being examined for any potential vulnerabilities in its network.
"We are being as cautious as we can so we’re looking at every record on every server."
Republished from the Brandon Sun print edition October 23, 2013