• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

         

Student Charged With Hacking at U-Texas
Karin Brulliard, Washington Post 2003-03-17

AUSTIN, March 14 -- Federal prosecutors today charged a University of Texas

student with breaking into a school database and stealing more than 55,000
student, faculty and staff names and Social Security numbers in one of the
nation's biggest cases of data theft involving a university.

Christopher Andrew Phillips, 20, a junior who studies natural sciences, turned
himself in at the U.S. Secret Service office in Austin. He was charged with
unauthorized access to a protected computer and using false identification with
intent to commit a federal offense.

Authorities had announced the cyber-theft last week. It sent shock waves
through the campus of the nation's largest university, prompting students and
staff to consider replacing credit cards and freezing bank accounts. There is
no evidence that Phillips disseminated or used the information, officials said.

Phillips was released without bail and will have "limited access to computers,"
Johnny Sutton, U.S. attorney for western Texas, said at a news conference. "The
main message today is that these cases will be taken seriously, these cases
will be prosecuted, and this case will be prosecuted vigorously."

If convicted, Phillips faces as many as five years in prison and a $500,000
fine, Sutton said.

After searching Phillips's Austin and Houston residences, Secret Service agents
recovered the names and Social Security numbers on a computer in his Austin
home, Sutton said. According to the indictment, Phillips wrote and executed a
computer program in early March that enabled him to break into the university
database that tracks staff attendance at training programs.

"This is a wake-up call to all institutions that use the U.S. Social Security
number as their customer ID number," said Dan Updegrove, the university's vice
president for information technology. "It's something that all of us have to
undo."

The university began in late 2001 to limit its dependence on Social Security
numbers as database identifiers, Updegrove said. Within two years, the
university will use an electronic identification number that can be matched
only to Social Security numbers in a hidden database, he said.

The data theft is probably the biggest ever at a university, said Jay Rosen,
director of consumer and victim services at the Identity Theft Resource Center,
a nonprofit group in San Diego.

"It's a massive undertaking as to what [the hacker] did," he said, noting that
identity theft is a growing problem nationwide. "All I need to steal your
identity is your name and your Social Security number."

       

Expand all | Post comment