Hacker breaches Hopkins server, but officials say identity theft not a concern

Names, email addresses and phone numbers from about 850 current and former Johns Hopkins University biomedical engineering students were posted online Thursday, stolen by someone claiming to be part of the hacker group known as Anonymous.

The breached server did not contain Social Security or credit card numbers, or any other data that would make identity theft a concern, university spokesman Dennis O'Shea said.

The hacker was attempting to extort the university for further access to its servers, threatening to post the information online unless officials handed over server passwords, O'Shea said. The university did not comply, he said.

Officials initially believed that as many as 1,300 people could have been affected, but said later they found duplications in the data and that 848 current and former students were included.

Hopkins officials said they are cooperating with an FBI investigation into the breach. An FBI spokeswoman could not be reached for comment Thursday night.

Part of the database pertained to a class in which students work in teams to solve engineering problems. It contained information on students who enrolled in the class from 2006 through the fall of 2013, O'Shea said. Officials alerted all engineering students of the breach in an email Tuesday and also planned to contact former students.

"Identity theft does not appear to be a serious issue here," O'Shea said. "Nevertheless, we felt it was important to notify our students, faculty and staff, and alumni."

The server, primarily used to produce the biomedical engineering department's website, also contained names and contact and biographical information for faculty and staff, data that is publicly available on university websites. It also contained comments students submitted evaluating the engineering course and their classmates, but it did not include grades.

Hopkins officials said they believe the breach occurred in November. They were alerted to a vulnerability in the server via a Twitter message in January, after which, they said, they secured the database.

A person claiming to be the hacker contacted university officials via email Wednesday, detailing the breach and making the extortion threat. Hopkins officials said they would not hand over the credentials the hacker was seeking, and said they are pursuing efforts to have the stolen data taken down from websites where it has been posted.

O'Shea declined to say where the information had been posted.



Copyright © 2020, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad