Establishing Digital Trust: Don't Sacrifice Security for Convenience
Christopher Andrew Phillips, a computer science major, was charged with "unauthorized access to a protected computer and using a means of identification of another person with intent to commit a federal offense."
The Justice Department said Phillips turned himself in to the U.S. Secret Service office in Austin after officials searched his home and recovered downloaded names and social security numbers. A computer found in Phillips' home also recovered the program used to access the UT database, the Justice Department said.
According to published reports in Texas, Phillips admitted on March 5 that he had written and executed a program that could access a university Web site and its database. An affidavit signed by a Secret Service agent said the computer program entered sequential Social Security numbers at a rate of 36,000 to 72,000 per hour and then gathered personal information related to successful hits.Phillips, who has no prior criminal history, appeared before a Texas Magistrate and was released on his personal recognizance. He is banned from using computers as a condition for his release.
If convicted, he could face a maximum term of eight years in a federal prison and up to $500,000 in fines.
On a special section of its Web site, which is dedicated to the data theft incident, the school made it clear there is no indication the stolen data was shared or used.
"At this point, there is no indication that the stolen data was further disseminated or used to anyone's detriment. Nevertheless, persons who may have been directly affected by this incident should remain alert for possible misuse of their names and social security numbers, and promptly report any suspected illegal activity to the United States Secret Service," according to a note on the Web site.
The security breach, which was described as a "deliberate attack," targeted UT Austin's personnel database and captured names, matching social security numbers, e-mail addresses, titles, department names, department addresses, department phone numbers, and names and dates of employee training programs attended.
Personal information from current and former students, current and former faculty and staff, and job applicants was stolen.