Iowa State Hacked–To Mine Bitcoins

Officials at Iowa State University said Tuesday that the personal data of nearly 30,000 alumni, including Social Security numbers, was compromised during a data breach.

It’s an odd week these days when there isn’t a data breach at some university or college. These institutions are prime targets for attackers for several reasons, not the least of which are their open network environments and databases bulging with personal information. But now attackers are looking at college networks for another reason: computing power for Bitcoin mining.

Officials at Iowa State University said Tuesday that the personal data of nearly 30,000 alumni, including Social Security numbers, was compromised during a data breach. University officials did not specify when the breach occurred but said that it was first discovered on Feb. 28.

However, the university identified several separate servers that were involved in the attack and said that they were compromised specifically to mine Bitcoins.

“The hacking was first discovered on two of the infected servers on February 28th, 2014 and the breach was repaired by March 3rd. Our investigation indicates the hacking occurred on February 3rd. The determination that students’ personal information was on the infected servers was made March 17th. A third infected server with personal information was identified on March 28th. Law enforcement officials have been notified of the incident. An Iowa State response team has also been working on this issue, and is taking steps to increase computer security and help prevent similar incidents from occurring in the future,” a letter from Jonathan Wickert, ISU provost and senior vice president, to affected former students says.

The SSNs and other information of 29,780 students who went to ISU between 1995 and 2012 was exposed during the breach, but officials said no financial data was exposed.

“We don’t believe our students’ personal information was a target in this incident, but it was exposed,” said Wickert. “We have notified law enforcement, and we are contacting and encouraging those whose Social Security numbers were on the compromised servers to monitor their financial reports.”

Mining Bitcoins requires two things, time and computing power, and people who have one may not have the other. So attackers with time on their hands and some ambition to mine Bitcoins can take a shortcut by hijacking other people’s machines. There have been a number of strains of Bitcoin-mining malware that have emerged in the last or so, but the Iowa State breach is perhaps the first incident of its kind in which the victim specifically identified Bitcoin mining as the purpose of the attack.

“Those servers were hacked, and infected with unauthorized software that sought to generate enough computing power to create digital currency known as Bitcoin,” the letter from Wickert says.

The university decommissioned the compromised servers and then physically destroyed them.

Image from Flickr photos of Ryan Wagner

Suggested articles