March 7, 2014
FOR IMMEDIATE RELEASE
CONTACT: Dennis O’Shea
The following statement may be attributed to Johns Hopkins University spokesman Dennis O’Shea.
Johns Hopkins has learned from the FBI that information stolen from a Department of Biomedical Engineering web server was posted on the Internet on Thursday, March 6. This came one day after the department received what can only be described as an extortion message from someone claiming to be a member of the hackers’ group called Anonymous.
The extortionist threatened to post stolen BME Department data if the university did not provide user ID and password credentials to access the university’s network. The university did not and will not provide that access.
The department, the Whiting School of Engineering and the university are investigating this situation, and are cooperating with the FBI’s criminal investigation. We are still gathering information, but here is what we know now:
— The server in question is used primarily to produce the Biomedical Engineering Department website. The breach apparently occurred late last year, but came to light when someone posted on Twitter in January that the server was open to attack. The coding error that left a database on the server vulnerable was promptly identified and fixed, but the data had already been extracted.
— There is no evidence that the database on the server contained Social Security numbers, birth dates, credit card or other financial information, or other data that would be useful in an identity theft scheme.
— In fact, much of the stolen data is employee information that is publicly available from the department website. That data includes names, contact information and biographical information on current faculty and staff.
— We learned only this week, however, that the database also contained student data from the department’s BME Design Team course. This information records with names and contact information for approximately 848 students enrolled in the course from 2006 through 2013. It did not contain grades. It did contain student-entered comments evaluating the course and fellow team members.
— The university is pursuing efforts to have the stolen information that was posted removed from the websites where it appears.
We will continue to pursue the facts concerning this incident and, of course, will assist the FBI in any way we can. The internal review will attempt to answer, among other things, why the course-related data was on the server for a department website, why it was vulnerable to attack and why it was not cleansed of outdated information. This information will help us take action to minimize the risk of any future occurrence.
We are informing BME students, faculty, staff and alumni about the breach.