Jacksonville State University officials learned Tuesday of a website that allows users to search for students’ personal information, including photos, addresses and phone numbers, all apparently stolen from JSU’s own database.
The site allows visitors to search using students’ names to find photographs along with birthdates, student ID numbers, fraternity and sorority affiliation and other information. Information for some former students, faculty and staff is also on the site.
The Star is withholding the address of the site, which as of Tuesday night was still live.
An email associated with the site returned a request for comment late Tuesday that read: “The website is intended to be a safe yet intriguing lesson to universities and other academic institutions to value their students’ personal information. We live in an age where records that were once on paper protected by security guards are now digitized protected by nothing.
“I believe among the responsibilities of any organization that one belongs to is the protection of their subjects’ personal information,” the email continued. “Jacksonville State University among others have failed to honor this responsibility.”
The university released a statement Tuesday night that indicated state and federal law enforcement agencies were investigating the matter. The release added that students should change their log-in and email passwords.
“To prevent further compromising our investigation we are limited as to what we can share at this time,” JSU spokeswoman Buffy Lockette wrote in a text message.
Tyler Brown, president of JSU’s Student Government Association, said the site was a much-talked about topic on campus Tuesday.
“I think people are surprised about information that anyone can get at any moment, apparently,” he said.
Reached by phone Tuesday evening, President John Beehler said he was notified by Vinson Houston, JSU’s vice president of information technology, of the site’s existence around the lunch hour.
“Apparently, they set up a phony website and somehow got into the information system,” Beehler said. “We’re doing our due diligence to try to find the extent of the breach and what information may have gotten out and mitigate the damage.”
Asked what steps the university is taking to see the site taken down, Beehler said: “I really don’t know the details.”
“I leave the details for my staff,” Beehler said. “They are doing everything they can.”
He said JSU, like any school or cooperation, has preventative systems in place to protect itself from such breaches.
“Something new happens like this and you have to improve the software. It’s like a never-ending cycle,” he said. “There’s as many people out there trying to destroy systems as there are trying to build them.”
Guillermo Francia, the director of JSU’s Critical Infrastructure Security and Assessment Laboratory dedicated to cybersecurity research, said “there are so many avenues” to breach the university’s database. One of those avenues, he said, is through a hacker masquerading as a virtual university employee with access to data.
“That’s just one way,” Francia said. “I have a feeling that’s the most likely attack vector here.”
He did not expect the information leaked on the site to leave cyberspace any time soon.
“There’s really no censorship on the Internet,” he said. “You can shut it down for a day, and they can bring it up in other places.”
A Twitter account associated with the site sent its first post around midday Tuesday, including the address of the site with the message, “released.”
“Perimeter security at it's finest,” read a later tweet sent around 5 p.m. “Let's take a moment to learn something.”
In an apparent challenge to investigators, a message on the site itself claimed that the author lives in Russia, and that services used to establish the site were in Bulgaria and Switzerland.
“Start buying tickets,” the message read.