In an attack on the Johns Hopkins University servers, a hacker was able to obtain the names, emails and phone numbers of some 850 current and past biomedical engineering students.
In a bizarre twist to the story, the Baltimore Sun reports that the hacker then attempted to parlay the personal data they had acquired by demanding university officials grant further access to its servers by providing passwords. The hacker stated that if their demands were not met, the personal data would be posted online for all to see.
University officials didn’t budge and are instead working with the FBI to conduct a formal investigation. Hopkins officials initially believed that the number of student accounts affected was nearly 1,300 but later discovered that there were a number of duplicates, bringing the total down to 848.
The compromised data was connected to an academic course in which students work in teams to solve engineering problems. The course file contained information for students who enrolled in the class from 2006 through the fall of 2013. Following the breach, Johns Hopkins officials immediately alerted all engineering students via email and also planned to contact former students as a precautionary measure.
University officials do not believe that identity theft was the hacker’s endgame, but notifying all affected parties was necessary nonetheless.
The compromised server is primarily used to run the biomedical engineering department’s website, and also contained the names, contact and biographical information of faculty and staff – data that is already publicly available on university websites. The server also contained student-submitted comments made for evaluating the engineering course and their classmates, but it did not contain class grades.
University officials believe that the breach occurred in November and that they were alerted to a weakness in the server via a Twitter message in January. After receiving the tip, they secured the database.
Hopkins officials stand by the decision to not forfeit the credentials the hacker was demanding, and will work to have the stolen data removed from any websites it has been posted to. As of yet, there is no word on where the hacker posted the contact information of the affected students.