Duke Law School, Hacked
Down at Duke Law School, they have a highly regarded new dean: David F. Levi, former Chief Judge of the Eastern District of California. But maybe what they really need is to create a new position: "Cyber-Security Czar."
It appears that their website has been hacked. Visitors to the site see the message at right.
In addition, a security breach has compromised the safety of the personal information of some applicants to the law school.
Emails sent to current Duke law students and applicants to the law school, after the jump.
EMAIL MESSAGE TO DUKE LAW SCHOOL STUDENTS
Current members of the law school community received this information:
Dear Law School community,
Thank you very much for your patience as we continue to work to restore our web site and understand the full ramifications of the attack on our web site and server. The attack was a criminal act, and it is now being investigated by law enforcement officials. We know that some of you have questions about the attack, and we want to provide as much information as we can without compromising the ongoing investigations. I'll attempt to do that here.
Earlier this evening, the Law School sent emails to about 3,200 prospective and current applicants notifying them that some of their personal information was exposed during the recent attack on our web site. We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so, and we therefore felt it was important to notify those who might have been affected as quickly as possible.
Following is a set of questions and answers to help explain what has happened and address concerns you may have:
What happened?
On Thursday, Nov. 29, at about 3:30 p.m., we detected unauthorized links and coding in our web site. As soon as a breach was confirmed, we took the site offline and launched our investigation. By Friday, it appeared that we had removed the unauthorized content, and we reposted the web site. Our continuing investigation, however, found that the web server had been compromised, and that the attack had penetrated more deeply than originally thought. We took the web site down again by Saturday morning pending a more complete security scan by the university's IT Security Office. We do not believe that any new problems were introduced during the short time that the site was reposted.
As we further evaluated the site, we found that several databases stored on the server were exposed during the attack. We also determined that the first intrusion occurred in early November, when a directory of foreign files was inserted into the site. Another set of files was deposited on Thanksgiving Day. We believe that nothing was done with these files until the attack began on the afternoon of Nov. 29.
What was on the exposed databases?
There were two databases containing sensitive or potentially sensitive information. The first held records containing information submitted by prospective applicants who were requesting information from the admissions office. A small percentage of those prospective applicants had provided Social Security numbers when they completed our online request form. That group of 1,400 prospective students received notification today about the security breach. Two individuals in this group are current first-year students; they have been notified of the breach by Law School officials.
Duke University has a policy not to gather Social Security numbers, except in a limited number of circumstances including some transactions with applicants and prospective applicants. The Social Security numbers in this database were no longer being used, and we had in fact stopped collecting them from applicants earlier this fall. But the database had not been purged of old data. We are reviewing our policies to ensure we are in full compliance with all policies that pertain to the handling of Social Security numbers.
The second database in question included contact information and self-generated passwords for about 1,800 current applicants who were using our web site to track the status of their law school applications. Even though our second database did not contain Social Security numbers, we also have notified this group of the security breach, in case the passwords they used on our site are the same as the passwords they use on other sites.
How has this affected the Law School faculty, staff and students?
Other than the two current students whose information was contained in the prospective applicant database, no personal information for faculty, current students, staff or alumni was exposed during this security breach. Our Groupwise email system was not affected.
What has been done to advise and help the people who were affected?
When we determined that the databases had been exposed during the attack, we quickly began the process of notifying those who were affected. We consulted with law enforcement officials and university counsel to ensure that the notifications would not interfere with our investigation or any investigation an outside agency would conduct. We sent emails and are following up with letters to those whose Social Security numbers were exposed. We also sent email notification to those whose contact information and passwords were exposed. Both groups were advised of precautionary steps they can take to monitor their credit. We have set up a special phone number and email address for applicants who may have questions, and our admissions staff is talking with them and trying to address their concerns.
What has been done to secure the web site and prevent this from happening again?
Over the weekend, we moved the site off our web server to allow us to install a completely new operating system and new software. While that was being done, we also reviewed all the data from the old server's system for remnants of the intrusion. We believe the core sections of the site will be restored Tuesday evening or Wednesday morning, although some pages and services will take longer to restore. The application status tracker is being restructured so that it will not require passwords. Social Security numbers have been removed and will not be stored on our web server.
What is the state law regarding information security?
The North Carolina Identity Theft Protection Act requires that people whose sensitive personal information, such as a Social Security number, is exposed in a security breach be notified of that breach. The relevant statute can be found at
http://www.ncga.state.nc.us/EnactedLegislation/Statutes/PDF/ByArticle/Chapter_75/Article_2A.pdf.
We are continuing our investigations into how this attack occurred and what additional steps can be taken in the short and long term to further secure our web site and all our electronic data. We will update you on our progress in coming weeks, and we will provide a full report to the community once the investigation and security planning is complete. In the meantime, if you have any questions or concerns, please feel free to contact me ([email address redacted]), Liz Gustafson ([redacted]), or Jill Miller ([redacted]).
Sincerely,
Melinda Vaughn
Executive Director of Communications
Duke University School of Law
EMAIL MESSAGE TO DUKE LAW SCHOOL APPLICANTS
Aspiring Duke law students received this message:
Dear [redacted]:
On Nov. 29, 2007, technical administrators at Duke Law School discovered that our website was compromised by electronic intruders. As soon as we learned of the breach, we took our site offline and launched a full security evaluation. During that investigation, we discovered that some personal information you provided for the purpose of tracking your application status could have been accessed by the intruders. That information includes home addresses, phone numbers, email addresses and the passwords you created to access your application status information.
While a separate database containing some Social Security numbers also was compromised during the attack, the application status tracker does not contain Social Security numbers and your Social Security number was never at risk. In your case, we are primarily concerned about the security of your password as it is linked to your email address. [Ed. note: Other applicants received an email message indicating that their SSNs were compromised. See here.]
We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so.
If you use the same password for Duke Law that you use on other websites or online accounts, we recommend that you change those passwords. You may also consider monitoring your credit and placing a 90-day fraud alert on your credit report, both of which you can do for free through any of the three major credit bureaus. See www.annualcreditreport.com or http://www.ftc.gov/bcp/conline/pubs/alerts/infocompalrt.shtm for more information and instructions.
The security and safety of our community is of utmost importance to us, and Duke University works hard to protect the personal information of prospective students and other community members. We are taking all possible steps to address this breach and prevent it from happening again.
We have notified law enforcement agencies and will notify any relevant government agencies about Duke’s response. The intrusion was confined to our web server; data stored in other systems at the Law School and around campus were not compromised.
We regret that this situation occurred, and we apologize for any inconvenience to you. Please do not hesitate to contact me or Mark Hill, Director of Admissions, by calling [redacted] or emailing [redacted] if you have any questions or concerns.
Sincerely,
William J. Hoye
Associate Dean
Admissions and Financial Aid
(56) Comments
first
First. Bam.
J.J. Redick drinks his own pee.
Uh... Duke Sucks?
"Guys at my high school used to drink J.J. Redick's pee all the time, it was no big deal."
Quoted for truth. Most sports beverages, such as Gatorade and Powerade, contain trace amounts of J.J. Redick's urine.
Guys at my high school would misuse "imposter" as a verb, when they really meant "impersonate," all the time, it was the penultimate "no big deal."
I heart WORD STUD.
It's not like Duke applicants have any real assets of their own to be concerned about. Now if they could get Daddy's Social Security number, that would be where the real value is.
$100 says it was Mike Nifong?
It was the next to last no big deal?
Guys at my high school would misuse "penultimate" thinking it was really a super form of "ultimate" rather than actually meaning "second-to-ultimate" all the time, really, it was kind of a big deal.
DUKE HATES AMERICA!
Q: How many Skadden real estate partners does it take to close a deal?
A: None! They're too busy getting coked up and dying like morons!
There are only two relevant posts about Duke.
XOXO here we come.
Ouch. That's the penultimate insult.
Guys at my high school would imposterize WORD STUD all the time, it was no big deal.
duke law students aren't from nj the way duke undergrads are. and they're better looking.
and WORD STUD just got pwn3d. as did 12:06, by association.
12:11 = still trying to figure out whether the girl who spilled a drink was a summer associate or not.
12:15 = hasn't figured out how to spell "owned," which is the penultimate error
12:15 - bullshit.
The hackers need to organize the personal data by hottest female law students.
WORD STUD - girl who spilled drink? Huh?
Good schools like Hofstra don't have their websites hacked.
12:26 - Would be a very short list. How about a list organized by "If I had to, she would be first"
Duke Law = TTT?
Or is it Top 10? What are the top 10 schools?
-- Paralegal with 172 LSAT Debating whether to Apply to Law School
Duke Law School = Top Ten Toilet
Guys at my high school used to have the comments on their blogs jump the shark all the time, it was no big deal.
12:30 #2: dead on. The law school was even worse than the student body at large (pun intended).
Also: could we please start using the correct spelling of 'Dook'?!?!
To the Paralegal with 172 LSAT Debating whether to Apply to Law School:
Don't apply to law school.
male law students complaining about female law students being unattractive is basically the same thing as a 350 pound man wearing a "no fat chicks" shirt.
The real victim here is Gerald Henderson.
1:25 - Ugly female Dook law student troll
1:55 - Classic!!!
If they would have used their American Express card, no identity theft would have occurred.
hahaha
Not everyone that goes to Duke is ugly...Period. For instance, Shelden Williams, Jon Scheyer, JJ Redick, Shavlick Randolph...
Buckle up for safety.
I'm not gay. Neither is Brian Davis.
Christian,
Why must you deny our love?
I wasn't crying...
2:13, see my post above. J.J. Redick may not be ugly, but he drinks his own pee.
P.S.
These comments have become utterly terrible. Damn auto admit and xoxo trolls.
I am the "penultimate" stud because I'm a black and asian stud
this year's 1L's are a pretty good-looking bunch, IMHO
When I was a Duke Law student a few years back, the talent of the female law students was less than awesome, but Duke's just up the road from the lovely ladies of Chapel Hill...problem solved!
All told, an awesome place to spend 3 years. Pretty solid faculty, small student population, cheap living expenses, and lots of things to do.
Duke, btw, is Top 10 about every other year - fluctuates with Cornell and a couple others around 9-12.
Forgot to mention, though, that IT is inept at Duke Law (even though the head of IT supposedly won some ridiculous IT Dude of the Year award back in like 2004).
Ah yes, the illustrious and highly prestigious "IT Dude of the Year Award". It's an exclusive club.
In Defense,
Baring a scholarship, wouldn't a simpler solution just have been to have gone to UNC Law, had the women closer, and saved a bucket of money.
I know, I know...then you wouldn't have had the guy that got the "IT Dude of the Year Award."
this is getting impossible to read. seriously
846 --- Fair point. Trouble is UNC (like most state schools) is really going to be best for students aimed at working in the state. Most students at Duke aim for jobs in NY, DC and other major markets. Plus, I was a total rankings whore and wanted to better school. I actually considered Texas before settling no Duke (Austin = awesome) but realized I had no interest in Texas and it would have been tougher to get to NY or LA from there. Not saying that it's impossible for students at schools like UNC or Texas to get the jobs in NY, etc, but since Duke really isn't that connected to NC, it would be easier.
Duke Law School football rocks!!
Probably could beat the real Duke Football team
Fair point--it's probably easier to get out of state big law jobs from Duke--but I have to say that I got a top 20 big law job as a UNC student and I'm barely even top 20 percent...It's a great school. Reputation ranking on US News puts UNC much higher than its actual ranking, which is lower because of the student-faculty ratio.
7:17 - Agreed. UNC student, not even top 40%, got a gig in Atl. paying $145k, which is market there. UNC's reputation, and network, definitely reaches out of state.
But "In Defense" probably has a valid point if you're strictly speaking of NY BigLaw. If I was a firm recruiting for a NY associate, and wanted someone who may actually stay more than 4 years in NY, Duke would probably be a better bet. Nothing against UNC, just a matter of where the student pop. has its roots.
Yeah, I agree that it may be a bit easier for Duke students. I have friends over there that have no problems getting many offers wherever they want to go. But, I also know a couple of people over there with solid grades and no offers, despite their best efforts. Not to argue with you, and not to come off as boastful--really I'm just expounding a bit to boost UNC's rep on this thread for anybody who might read it later--but I got offers in New York, Boston, Atlanta, D.C., as did many non-top 20 percent students. The firm I ended up at is a top 5 in the nation in pay and #1 in reputation in a top east coast market (not NY). A good friend was barely top third and got a job at a top 20 New York firm. Neither of us had connections.
The point is that UNC is very competitive with Duke, and a much better value. If I had to choose again, I'd still choose UNC.
12:40 - Completely agree with you. I wouldn't even consider going to Duke, certainly not for that price. As someone who wants to stay in the SE, UNC's reputation is just as good if not better than Duke's rep. Plus the student body is a lot more diverse.
One of my professor's at UNC said it best. He teaches at both UNC and Duke (and is a Duke grad) and told us his Duke students, with their elitist nature, are always asking him which student body is more intelligent, since he teaches both sets of student.
My professor told me he said: "Well, lets put it this way. You are being charged three times as much to be taught the same material by the same professor. Who do you think is smarter?"
Couldn't have said it better myself.
12:40 - What firm exactly do you think is #1 in reputation in a top east coast market (Not NY)? I assume its Atlanta or D.C.? What firm are you talking about? I want to make that dough.
8:28 - One of your "professor's at UNC"? at UNC belongs to him? I don't even know what an at UNC is. At least Duke students, with their elitist nature, know how to punctuate correctly.
BTW, that bitchy little aside cracked me up. I can smell the jealousy and inadequacy oozing from your post. Smells like an old egg mcmuffin.
3:41 > 8:28