A computer hacker may have obtained Social Security numbers and other personal information of more than 4,300 current and former Omaha Public Schools employees.
An investigation into the attack on the Omaha School Employees Retirement System website, detected Dec. 21, was unable to determine whether information was stolen, Michael Smith, executive director of the system, said Thursday.
“We have yet to be able to prove to ourselves that they were unsuccessful,” Smith said.
The district sent letters to affected employees, warning them to take steps to protect their credit. Smith said the district intends to monitor the situation over the next few months for reports of identity theft, but as of yet he had not heard of any misuse of the information.
School officials notified employees to place a fraud alert on their credit file. The alert is to tell creditors to contact the employee before they open any new accounts or change existing accounts.
“While we are unable to confirm that unauthorized access actually occurred, we are concerned that it did,” Smith wrote.
The hackers attacked a database of names, birthdates, Social Security numbers, years of service and beneficiaries. The database did not contain bank or credit card information, but the personal information in it could be used for identity theft, he said.
Smith described the attack as “a purposeful attack to access the administrator log-in” on the website. The site provided brochure-type information on retirement and also a retirement benefits calculator.
Within two hours of receiving notification of the breach, the district blocked all Internet access to the site and brought in a computer security firm to investigate, he wrote. The investigation wrapped up Jan. 5, after which the district prepared and sent the letters.
Smith apologized, in the letter, for the breach.
The district has removed the retirement website from the Internet until it can be rebuilt without the personal information data files, he wrote.
The attack was identified as an “SQL injection,” which stands for structured queried language.
SQL injections are one of the most common Internet attacks, according to Courtlend Little, senior security strategist for Solutionary, an Omaha security firm.
They are fairly easy to do, and if they succeed, “you hit a home run,” Little said.
They typically attack websites that feature online forms, he said. The forms are designed to accept information and send it into a database, a one-way system. The hacker turns it into a two-way system to extract information, he said.
In 2009, a Miami man was federally indicted for conspiring to use an SQL injection attack to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, according to the U.S. Department of Justice.
Contact the writer:
402-444-1077, joe.dejka@owh.com
Copyright ©2012 Omaha World-Herald®. All rights reserved. This material may not be published, broadcast, rewritten, displayed or redistributed for any purpose without permission from the Omaha World-Herald.
