The following FAQ provides explanations to the events surrounding a January 14-16, 2007 compromise of the University's Research Board Grant Application System, which is a computer system that manages the grant application and review process for the Research Board of the University of Missouri. This computer system is referred to in this FAQ as the "system."
At 8:33 AM on January 16, 2007, University staff were informed that the Web pages on the system had been accessed and vandalized or changed. IT staff took the system off-line at 9:30 AM the same day and began performing computer forensics on the system. The forensic investigation indicated that the system had been initially compromised at 3:30 PM, January 14, 2007.
The Multi-State Information Sharing and Analysis Center (MS-ISAC), a not-for-profit organization that scans the Internet looking for illicit activity, had initially informed MOREnet security staff of the compromise, and MOREnet in turn notified campus IT staff.
Unauthorized access was gained through the system's Web based application which had been developed several years ago to facilitate the receipt of applications and process the reviews of research proposals and did not have safeguards which current applications have to ward off increased threats from the Internet.
Users of the system whose names, addresses, Social Security numbers and passwords used to access the system could have been obtained by third parties have been notified of the unauthorized access with instructions on how to monitor their credit reports for suspicious activity and how to address concerns about their password.
For users whose names, addresses and passwords could have been obtained by third parties, an e-mail was sent providing instructions on how to manage the possible compromise of their passwords.
If you are certain you have used the system, but did not receive a letter or an e-mail, contact kanatzars@umsystem.edu or at (573) 882-1714.
The system assigned a random password to each authorized user. The system also provided each user an option to change the password. If you did not change your randomly generated password, no actions need to be taken since the system has been disabled and the passwords will not be used on the system again.
If you changed your password, and the new password was the same as the password you use to access other electronic systems, you should change your password on those systems immediately. In particular, if you used this same password to access any personal financial systems such as online banking, you should check with the providers of those systems to determine if your account has been accessed without your knowledge. If you find suspicious activity on any personal financial systems you used, you should visit the site at http://www.ago.mo.gov/publications/idtheft.htm.
If/when you change your passwords, we strongly suggest that you do not use the same password to access work related systems as you use for personal on-line systems.
You can go to the Missouri Attorney General’s website on identity theft at http://www.ago.mo.gov/publications/idtheft.htm, and on the Federal Trade Commission’s website on identity theft at http://www.ftc.gov/bcp/edu/microsites/idtheft.
The old system has been completely disabled and the University is working to establish a different process for the current grant competition. Contact Sam Kanatzar at kanatzars@umsystem.edu or at (573) 882-1714.
The University has and will continue to work diligently to secure its computer systems and information resources. All companies or organizations using the Internet to serve their customers face this challenge. The University of Missouri follows industry standards to keep its computer systems secure from hackers.
The system was put on-line in February of 2002. If you submitted a grant application to the University Research Board, were a reviewer or otherwise interacted with the board prior to February 2002, your submission is not contained in the system.