Hacker Accesses USC Files

Responding to what is believed to be a small security breach of a campus database, USC is contacting 270,000 actual and would-be applicants who provided personal information to the university since 1997.

USC officials said a hacker discovered a security flaw in the online application database and apparently viewed information on fewer than 10 students.

But as a precaution, the university will send letters to all of the potentially affected individuals.

According to USC, the hacker may have had access to student names, addresses and Social Security numbers, but not to credit card numbers or other financial information.

“All of our forensic analysis tells us that there was no massive download of data,” said L. Katharine Harrington, USC’s dean of admission and financial aid.

“Although we believe that the scope of this is pretty small, we’re taking it very seriously ... and we are taking great care to notify every single person where there is even the potential that their records might have been viewed.”

Robert M. Wood, USC’s information security officer, said the episode apparently began when a prospective applicant was trying to use the USC website on June 20 and discovered the security flaw.

At that point, the applicant is believed to have made up to 40 attempts to view student files, although officials estimate he saw only a few.

The suspected hacker then contacted an online publication, SecurityFocus, to report the flaw, and the publication in turn informed USC.

Wood said the matter has been turned over to the FBI for investigation, but he doubted that any criminal case will be pursued.

“There doesn’t appear to have been any malicious attempt to gather data,” Wood said.

FBI officials declined to comment.

The 270,000 potentially affected people are those who used USC’s online system to apply for admission, or who at least started the application process, over the last eight years.

The online undergraduate and graduate admissions services have been shut down while security fixes are being made, but they are expected to be back up sometime next week.

Those concerned that their personal information may have been released can call USC at (213) 740-2311.

A toll-free number is expected to be set up Monday.

The security breach at USC comes amid a wave of data security failures this year reported by such businesses as MasterCard International, LexisNexis, Bank of America Corp. and Citigroup Inc., which said the financial information of 3.9 million customers was lost by United Parcel Service Inc.

Since the middle of last year, computer security lapses also have been reported at other California schools, such as UCLA, UC Berkeley, UC San Francisco and Cal State Chico, as well as Northwestern University and Tufts University.