Hacking at UNC cancer center exposes personal data

Jan. 02, 2013 @ 04:43 PM


Two computer servers at UNC Chapel Hill’s Lineberger Cancer Center were hacked last spring, potentially exposing the personal data — including Social Security numbers — of more than 3,000 people.

According to H. Shelton Earp III, the director of the center, the servers hosted software programs and stored files containing contracts and administrative forms such as grant applications, expense reimbursement forms, information about research studies and other personnel and administrative documents.

Some records contained personal information for individuals who worked for Lineberger, participated in research studies or otherwise were affiliated with the center, Earp wrote in a letter last week to those whose information may have been compromised.

Lineberger waited seven months to inform those whose personal data may have been at risk because “of a time-consuming process” designed to determine which files — out of 1.6 million hosted on the servers — actually could have been exposed, explained Ellen de Graffenreid, the director of communications at the center.

It was “a process that consumed significant time and resources, an investigation by the university and by a leading information security forensics firm,” de Graffenreid added.

“We wanted to insure that the notification was legitimate before we took the steps of informing people. Our first responsibility is to provide accurate information and that could not have been done in a precipitous manner. We did not want to alarm anyone unnecessarily.”

Ultimately, 3,300 files were identified as at risk. Each of those files was then examined by a human being to determine whether it contained personal information, why that information had been stored and whether contact information for the individual was available.

At least one former UNC employee whose information was on one of those files that may have been compromised was perturbed the university waited so long before telling him of the security breach.

“To my mind, the handling of this incident reflects very badly on the manner in which UNC weighs the benefits and costs of disclosure,” said Paul Farel, a professor emeritus at the UNC School of Medicine.

“It’s a question of, do you panic a lot of people and possibly prevent fraud or do you wait until you are more certain? The way they made the decision, it seems to me, benefits the university more than those who were affected.”

Farel, who worked at UNC for 40 years, called the handling of the issue “totally impersonal.”

It’s not “the attitude that I would expect from a university to its constituents,” he said. “It’s more the attitude of a big business dealing with customers. It’s disconcerting.”

The hacking apparently took place, officials said, between Feb. 12 and May 18 of last year when the personal information may have been exposed. Information security employees discovered the hacking during routine procedures.

De Graffenreid said that some Social Security numbers had names attached and some did not. Some files included dates of birth and a small number of them had passport numbers. Most files involved people who were employed at the center permanently or temporarily, as student workers, or individuals who came to the center for lectures and were reimbursed for travel or made grant applications.

After the breach was discovered, the servers were immediately blocked and then moved behind an additional level of security, de Graffenreid said. While the university contacted both university police and state officials about the hacking, they were unable to trace the operation and to determine who might have been the perpetrators.

It’s not the first time there has been a breach of computer security at UNC.

In 2009, School of Medicine officials discovered that a server for the Carolina Mammography Registry, which held data for a 15-year project, had been infiltrated two years earlier. The university at the time didn’t believe any personal information was removed, but nevertheless notified all 180,000 women with data on the server and initially wanted to fire the professor in charge of the registry.

Farel contrasted how differently the university seems to be handling the latest breach.

“We never heard then that there was personal information compromised that could lead to identity theft, and yet the university held a professor responsible,” Farel said. “This seems much worse, and yet the university is moving so slowly.”

Earp’s letter advised recipients to contact credit bureaus to guard against the possibility of identity theft, although, he acknowledged, it wasn’t certain “whether your personal information was accessed by an unauthorized person as a result of this incident.”

Identity theft is “obviously a major concern for the individuals involved,” de Graffenreid said. “We understand that. The number of files examined by hand is an indication that we take this very seriously. We’ve been working with the highest sense of urgency. Those involved are mainly those who work here, so this is essentially us, and we have been very, very concerned about it.”