Brute force social security number guessing attack launched against University of Texas database

Incident Date: March 2 2003
Incident Location: Austin TX USA

On March 2, 2003 information technology personnel at the University of Texas at Austin (UT) detected a malfunction with one of their computer servers. Upon analyzing the malfunction they determined that the server had experienced an attack from the Internet.

The server was used to maintain a database named TXCLASS, which contained data related to employee training program completion. The database identified people based on their U.S. Social Security number and contained their corresponding email address, mailing address, phone numbers, title, department information, along with names and dates of employee training programs. Records were available for some current and former students, current and former staff, and job applicants from the 15 years predating the attack.

An attacker had apparently discovered that TXCLASS records on the server included the Social Security number of a person who had submitted their information. This attacker subsequently wrote a program to attempt a brute force guessing attack of possible Social Security numbers to find out which ones were associated with valid user records. After several million attempts, the attacker was successful in retrieving data pertaining to around 55,200 individuals.

Upon investigating the attack, law enforcement personnel concluded that the attacker was actually an UT undergraduate student, Christopher Andrew Phillips. He was arrested by the U.S. Secret Service on March 14, 2003 and charged with unauthorized access to a protected computer and using a means of identification of another person with intent to commit a federal offense. As of November 2003, Mr. Phillips was out of jail without bond and waiting to be indicted by a grand jury. The court prohibited him from using computers without its permission.

While there was no indication that the stolen information was further disseminated or used for criminal purposes, UT undertook the significant task of notifying all individuals whose personal information was compromised. As of October 2003, seven months after the incident, UT staff had contacted 92% of the targeted individuals.

In 2001 UT had begun a project to migrate database records and systems away from using the Social Security number of individuals as a primary means of identification. The breached system had not been updated by this project at the time of the attack.


Story Sources

Title: University hacker still awaits indictment
Author: Jonathan York
Date: 11/20/2003
Publication: The Daily Texan
Publication Location: Austin TX USA
Publication URL: http://www.dailytexanonline.com/news/2003/11/20/University/University.Hacker.Still.Awaits.Indictment-563137.shtml

Title: Data Theft Update (October 2003)
Author:
Date: 10/1/2003
Publication:
Publication Location: Austin TX USA
Publication URL: https://www.utexas.edu/datatheft/update_october2003.html

Title: Initial Report -- March 5, 2003, 10:00 p.m.
Author:
Date: 3/5/2003
Publication:
Publication Location: Austin TX USA
Publication URL: https://www.utexas.edu/datatheft/report.html


Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.

<-- Back to Authentication Story Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com