Hackers who broke into 100 university websites worldwide posted personal data on 1,560 lawyers from the continuing legal education program at Rutgers’ two law schools.
In an email on Tuesday to those lawyers, the university’s Institute for Professional Education said “it appears that hackers were able to access some information, including names, addresses and encrypted passwords” from its site, www.rutgerscle.com.
The hackers also obtained telephone numbers and email addresses — but no credit card information — of people who registered online for Rutgers CLE classes, says Michael Sepanic, a spokesman for Rutgers Law School-Camden.
No other Rutgers-affiliated websites were hit, according to the university, which learned of the online attacks on Oct. 1.
An organization called Team GhostShell claimed responsibility on Oct. 1, saying in an Internet forum it was protesting the rising cost of education and the burden of student loans.
In its email, the Rutgers institute said it has addressed the security issue, “including changing to stronger passwords and increased levels of security.”
The email said that the information that may have been accessed is not confidential and most is publicly available, except for the encrypted passwords.
Those words are now obsolete.
But the university advised those people to change their passwords. And people who used that same password for other accounts were urged to change them as well.
The email said the school was confident the situation would not recur.
The hackers posted the stolen data to a website called pastebin.com, although the files have since been removed.
Other institutions targeted by the hackers include Princeton University, Harvard University, Cornell University, Duke University, the University of Zurich in Switzerland and Osaka University in Japan.
Team GhostShell also claimed responsibility for attacks in August on computer systems belonging to the Central Intelligence Agency, other government agencies and large banks. The organization has also threatened additional attacks.
Aaron Titus, chief privacy officer for a New York data-protection company called Identity Finder, says anyone whose data was accessed from the Rutgers site should be on the lookout for so-called spearphishing scams.
Spearphishing is a variant on phishing, in which criminals send out thousands of email messages purporting to be from a legitimate business, such as the Bank of America, says Titus, who conducted an analysis of the university data breach.
The messages might advise that the bank’s servers were hacked, and ask recipients to follow a link to a website, which then asks them to supply sensitive data, such as a bank account number or credit card number.
Most recipients ignore such messages, but for the few who fall into the trap, the data provided is used to commit fraud, says Titus.
A list of names with corresponding street addresses, telephone numbers and email addresses can facilitate spearphishing by using the extra data fields to enhance the credibility of the fraudulent email messages, Titus says.
Unsolicited emails that ask for information about the recipient should be viewed with suspicion, he says.
The hackers who broke into the computers at Rutgers and the other universities likely spent several months scanning subdomains in each institution, looking for areas where security was lower, says Titus.
Many areas that were hacked were peripheral sites, such as alumni associations and professors’ sites, whose security was less rigorous than in academic departments and administration sites, he says.
The two law schools formed the institute in the fall of 2009 to help lawyers meet a requirement for continuing legal education, which went into effect in January 2010.