The IT staff discovered that five departmental servers were breached, which contained social security and university ID numbers for students who took classes in computer science, world languages and cultures and materials science and engineering. The machines were infected with bitcoin-mining malware.
No financial information was contained in the exposed records.
The primary purpose of the hack, however, seems to be bitcoin mining, which in and of itself is a legitimate action – just not when carried out using unsuspecting machines. The Bitcoin Wiki noted that “Mining is intentionally designed to be resource-intensive and difficult so that the number of blocks found each day by miners remains steady….Bitcoin mining is so-called because it resembles the mining of other commodities: it requires exertion and it slowly makes new currency available at a rate that resembles the rate at which commodities like gold are mined from the ground.”
As such, mining is a vastly complex mathematical challenge and those searching for the proverbial gold in bitcoin banks typically need big machines with big horsepower and legions of graphics cards. Or, hackers searching after new currency are increasingly looking to hack servers and set-up botnets to offload the resource-intensive process.
“Iowa State has received no reports, nor do we have any evidence, that your information was actually viewed, accessed or used in any way,” university officials said in a statement. “No student financial information was in the data, and we do not believe that your personal information was a target of this server breach.”
A forensics investigation discovered that the hack occurred on February 3, and was first discovered on two of the infected servers on February 28. By March 3, the breach was repaired.
Law enforcement officials have been notified of the incident, and an Iowa State response team has also been working on the issue. Meanwhile, as an added precaution, the university has arranged to have AllClear ID protect affected students’ identity for 12 months
“You may continue to receive legitimate requests for information by phone, mail, or email from the
Iowa State University Foundation or Iowa State University Alumni Association,” officials cautioned. “However, no representative from Iowa State will ever ask for your Social Security number.”