University’s Online Computer Store Affected by Third-Party Server Hacking

FAYETTEVILLE, Ark. – The University of Arkansas’ chief financial officer said Thursday that hackers breached a third-party, Maine-based computer data server and exposed data stored for the University of Arkansas Computer Store, a university auxiliary unit that offers online shopping for computer-related hardware and software.

On Tuesday, the university determined that the breach could affect as many as 1,007 computer store customers who made online-only transactions at some time during the past four years. However, university officials are continuing to investigate the matter and believe that once it completes its analysis, the actual number of affected customers will be smaller. At this time, a review shows that seven customers’ complete credit card numbers were located in the breached data server, with one customer being a unit of the university. Significantly, no security codes or other sensitive authentication data were stored on the server for any customers, officials said.

Donald O. Pederson, vice chancellor for finance and administration, said the security breach affected a computer server configuration maintained at the University of Maine in Orono, which for several years provided hardware and software support for online computer sales and related transactions on behalf of several universities.

Pederson emphasized that no servers at the University of Arkansas were involved or breached. The specific third-party server that was hacked was located in Maine and solely handled online transactions for the University of Arkansas and other university computer stores. The breach had no effect on in-store purchases at the University of Arkansas Computer Store.

University officials became aware of an alleged breach on Friday, April 27, and immediately consulted with the service provider, forensic investigators and law enforcement to determine what data, if any, might have been affected. Maine State Police personnel conducted forensic analyses of the data server last week, followed by more specific data analyses by university computer specialists in Arkansas and Maine.

Pederson said the university on Thursday morning notified the computer store’s bank of the breach. The university will work to ensure that affected cardholders receive notice of the breach.

The University of Arkansas Computer Store has maintained its online shopping site on the Maine server since 2007, Pederson said. The campus store shut down its online site as soon as it became aware of the possible security breach. The store had been in the final stages of a previously scheduled transition to a campus-based e-commerce site, which will occur as planned this month, Pederson explained.

“At this time specialists in Maine and in Arkansas continue to conduct forensic work on the breach,” Pederson said. “Once that work is complete, we expect the number of exposed customer card numbers to be fewer — perhaps far fewer — than the 1,007 possibilities identified through the initial review.”

The reason, he explained, is because the Maine computer site has maintained what’s called “truncated” data, erasing all but the last four numbers of a credit card number as soon as the customer’s online transaction is completed or closed. Numbers possibly could be retained only under unusual circumstances, such as when a consumer fails to log out of the consumer site. The university will examine all data for the possibility that some numbers might have been captured prior to being truncated.

“I must emphasize that the breach involved only this single, externally managed system that serviced the computer store’s online transactions,” Pederson said. “That system was taken offline on April 27 and will not be used again. No in-store transactions were affected. No University of Arkansas site was involved or affected by the compromised out-of-state server.”