Security Breached On Duke Law Site

Hackers may have perused the Social Security numbers and contact information of prospective Duke Law School applicants when the school’s Web site was illegally accessed last Thursday.

Technical administrators working on the site discovered that someone had gained unauthorized access to the Web site, compromising two databases, said Melinda Vaughn, a spokeswoman for the law school.

The first database contained the Social Security numbers of about 1,400 potential applicants who requested information from the law school admissions office.

The second database held contact information including home addresses, phone numbers, and e-mail addresses, as well as user-generated passwords, for an additional 1,800 people who had already submitted applications.

Duke officials are uncertain whether the electronic intruder actually acquired the compromised data, but the admissions office has contacted people affected, warning them of the security breach.

In one such e-mail sent Tuesday, William J. Hoye, Duke Law’s associate dean of admissions and financial aid, emphasized that while there is “no evidence that the intruders actually downloaded or acquired any of this information...the intruders had the opportunity and the tools to do so.”

Admissions officers encouraged those whose Social Security numbers were compromised to closely monitor their credit and protect themselves against identity theft. The e-mail suggested that students place a fraud alert on their credit reports, providing links to credit bureaus. Duke also advised applicants to change their passwords elsewhere if they are the same as the one used on the Duke Law School Web site.

After the intrusion was discovered last Thursday, administrators immediately took the site offline as a precautionary measure and notified law enforcement agencies.

Duke subsequently launched an investigation of the security breach and committed itself to safeguarding confidential data.

“We are in the process of analyzing the Web site to remove any unauthorized coding or material, and we’ve moved everything off of the Web server,” Vaughn said. “We’re also doing a longer-term investigation, making sure we’re doing everything we can to protect information and follow the policies we have in place.”

Jeffrey S. Bramson ’08 said that although the password he used to access the Duke Web site was one that he has used for other things, he was not concerned.

“By the time I found out about it, they said it had already been taken care of, so it didn’t really worry me,” he added.