Harvard University Hacked. Personal Data Uploaded to BitTorrent

There is a reason for information security and best practices. Ignoring things like setting strong passwords and having an account lockout policy will have perilous consequences. Just ask the 10,000 applicants to Harvard Graduate School of Arts and Sciences who had their personal information, including their social security numbers, uploaded to Bit Torrent. That data is there because the Harvard server admin used an easily guessable password.

From the AP here:

Harvard says about 10,000 of last year’s applicants may have had their personal information compromised, with 6,600 having their Social Security numbers exposed.

The school says it will provide the applicants with free identity theft recovery services and help them with credit monitoring and fraud alerts.

The details of the hack were posted last month at Torrent Freak here:

A Harvard University website has become the victim of a major security breach. A torrent currently tracked by The Pirate Bay which links to a 125mb .zip file, claims to be the backup from the Harvard Graduate School of Arts and Sciences website.

The backup contains three other major database files and a .NFO file included with the release says in broken English: “Maybe you don’t like it but this is to demonstrate that persons like tgatton(admin of the server) in they don’t know how to secure a website.”

A file included with the release labeled password.txt carries a message:

Thomas gatton….stupid people, you don’t use a secure password.

This appears to be a reference to Thomas Gatton, Systems Administrator and User Support Specialist at Harvard.

It’s one thing to be rejected by an Ivy League School. Its quite another for the Ivy League School to allow you to become the victim of identity theft.