More than 1,800 University of California, Irvine students, along with two dozen non-students, have been notified that they their personal information was not only left unencrypted, but may also have been compromised after keylogger malware was discovered on three student health center computers.
According to a report form the SCMagazine, the keylogger malware was on the health center computers for an estimated six weeks, enough time to affect 1,813 student and 23 non-students.
The malware is believed to have attained names, addresses, phone numbers, student ID numbers and non-student patient ID numbers. More troubling, however, is the possible compromise of health and dental insurance policy ID numbers, bank names, check numbers for services paid by check, payment amounts received by the student health center, Current Procedural Terminology and ICD-9 codes and patient diagnoses.
University officials have revealed that the malware was able to send the unencrypted information to an IP address outside the UC Irvine network.
The California Information Security Office (CISO) notified UC Irvine on March 26 that one of the computers in its student health center had been infected by the malware. Upon further investigation, university officials discovered that, in fact, three computers had been at risk from February 14 to March 27.
The three infected computers have since been taken down from the network, with all student health center employees required to change their passwords. A report has also been filed with law enforcement and the investigation is ongoing.
The university is also expanding its regularly scheduled, campus-wide reviews of data security practices to include health center computers and are being upgraded with anti-virus and security programs. All individuals affected by the malware attack have been notified and will be offered a free year of fraud monitoring services.