Incident Report

December 4, 2007

Dear Law School community,

Thank you very much for your patience as we continue to work to restore our web site and understand the full ramifications of the attack on our web site and server. The attack was a criminal act, and it is now being investigated by law enforcement officials. We know that some of you have questions about the attack, and we want to provide as much information as we can without compromising the ongoing investigations. I'll attempt to do that here.

Earlier this evening, the Law School sent emails to about 3,200 prospective and current applicants notifying them that some of their personal information was exposed during the recent attack on our web site. We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so, and we therefore felt it was important to notify those who might have been affected as quickly as possible.

A press release has been posted on Duke University's web site. Following is a set of questions and answers to help explain what has happened and address concerns you may have:

What happened?
On Thursday, Nov. 29, at about 3:30 p.m., we detected unauthorized links and coding in our web site. As soon as a breach was confirmed, we took the site offline and launched our investigation. By Friday, it appeared that we had removed the unauthorized content, and we reposted the web site. Our continuing investigation, however, found that the web server had been compromised, and that the attack had penetrated more deeply than originally thought. We took the web site down again by Saturday morning pending a more complete security scan by the university's IT Security Office. We do not believe that any new problems were introduced during the short time that the site was reposted.

As we further evaluated the site, we found that several databases stored on the server were exposed during the attack. We also determined that the first intrusion occurred in early November, when a directory of foreign files was inserted into the site. Another set of files was deposited on Thanksgiving Day. We believe that nothing was done with these files until the attack began on the afternoon of Nov. 29.

What was on the exposed databases?
There were two databases containing sensitive or potentially sensitive information. The first held records containing information submitted by prospective applicants who were requesting information from the admissions office. A small percentage of those prospective applicants had provided Social Security numbers when they completed our online request form. That group of 1,400 prospective students received notifications this afternoon about the security breach. Two individuals in this group are current first-year students; they have been notified of the breach by Law School officials.

Duke University has a policy not to gather Social Security numbers, except in a limited number of circumstances including some transactions with applicants and prospective applicants. The Social Security numbers in this database were no longer being used, and we had in fact stopped collecting them from applicants earlier this fall. But the database had not been purged of old data. We are reviewing our policies to ensure we are in full compliance with all policies that pertain to the handling of Social Security numbers.

The second database in question included contact information and self-generated passwords for about 1,800 current applicants who were using our web site to track the status of their law school applications. Even though our second database did not contain Social Security numbers, we also have notified this group of the security breach, in case the passwords they used on our site are the same as the passwords they use on other sites.

How has this affected the Law School faculty, staff and students?
Other than the two current students whose information was contained in the prospective applicant database, no personal information for faculty, current students, staff or alumni was exposed during this security breach. Our Groupwise email system was not affected.

What has been done to advise and help the people who were affected?
When we determined that the databases had been exposed during the attack, we quickly began the process of notifying those who were affected. We consulted with law enforcement officials and university counsel to ensure that the notifications would not interfere with our investigation or any investigation an outside agency would conduct. We sent emails and are following up with letters to those whose Social Security numbers were exposed. We also sent email notification to those whose contact information and passwords were exposed. Both groups were advised of precautionary steps they can take to monitor their credit. We have set up a special phone number and email address for applicants who may have questions, and our admissions staff is talking with them and trying to address their concerns.

What has been done to secure the web site and prevent this from happening again?
Over the weekend, we moved the site off our web server to allow us to install a completely new operating system and new software. While that was being done, we also reviewed all the data from the old server's system for remnants of the intrusion. We believe the core sections of the site will be restored Tuesday evening or Wednesday morning, although some pages and services will take longer to restore. The application status tracker is being restructured so that it will not require passwords. Social Security numbers have been removed and will not be stored on our web server.

What is the state law regarding information security?
The North Carolina Identity Theft Protection Act requires that people whose sensitive personal information, such as Social Security numbers, be notified of a security breach involving that data.

We are continuing our investigations into how this attack occurred and what additional steps can be taken in the short and long term to further secure our web site and all our electronic data. We will update you on our progress in coming weeks, and we will provide a full report to the community once the investigation and security planning is complete. In the meantime, if you have any questions or concerns, please feel free to contact me, Liz Gustafson, or Jill Miller.

Sincerely,

Melinda Vaughn
Executive Director of Communications

Security Breach FAQ

If you have questions about the notice you received from Duke Law informing you that your information may be at risk, contact us at:

(919) 613-7259 or webdata@law.duke.edu

Steps you can take to protect yourself:

  1. Monitor your credit by obtaining credit reports from each of the major credit bureaus. You can obtain one free report each year from each bureau; consumer organizations recommend staggering your requests over the course of the year. See www.annualcreditreport.com for information.
  2. Place a 90-day fraud alert on your credit report. The alert is free and easy to set up. You can set up an alert every 90 days if you want. The FTC provides information and tips.
  3. Credit bureaus, banks and other organizations will monitor your credit for a monthly fee. See the Identity Theft Resource Center for more information on how you can protect yourself.
  4. Additional links to helpful resources: