When LSA junior Jon Oberheide used Wolverine Access to view his
fall class schedule May 16, he wasn’t expecting to stumble
across the University’s official student record database.

Inside the database, Oberheide, a Computer Science major,
searched for his name and was able to access personal information
including his social security number, University identification
number and address.

After discovering the glitch in the system, Oberheide said he
contacted an Electrical Engineering and Computer Science professor
and the Michigan Engineering Software and Hardware student group
for support.

“When I contacted them I didn’t tell them how to get
to it,” Oberheide said.

“It’s just crazy because it wasn’t hard to get
to at all. It took about five clicks and required no secret code at
all,” he added.

After discussing the incident with the MESH group, he contacted
the University’s Information Technology Central Services, who
corrected the problem in less than 24 hours. But on Thursday, the
Office of the Registrar sent a campus-wide e-mail in which it
reported that the information may have been accessible since Feb.
9, when the new Wolverine Access interface was launched.

“We want to emphasize, of course, that we don’t
think anyone besides the individual who notified us of the
vulnerability has accessed this data inappropriately. We were doing
what we thought was the responsible thing by sending the
message,” said Linda Green, communications coordinator for
Michigan Administrative Information Services.

Although Oberheide easily accessed the information, he said he
did not use prior computer knowledge to obtain entry to the
database. University spokeswoman Julie Peterson said because of the
difficulty in finding the database, it is unlikely it was accessed
in an inappropriate way.

“First of all, this was not a space on the web where
anyone anywhere in the globe could get to. You have to be an
authorized user of Wolverine Access, so that right there narrows it
down to students and some staff who can get into it,”
Peterson said.

Peterson added that the student used the Safari web browser for
Macintosh operating systems whereas most students use Internet
Explorer and would not be able to gain access through Internet
Explorer.

Although the database contains other sensitive information such
as transcripts, Peterson said the University is confident that
these records were not harmed.

“This vulnerability did not allow anybody to change or
alter records. We’re quite certain that no records were
changed or altered in any way,” she said.

In addition to all current students and all incoming freshmen
whose personal information could have been accessed, a number of
alumni may also fall into the group of potentially affected
University affiliates.

But Oberheide said he was not completely satisfied with the
e-mail sent out by the administration.

“It was not a ‘data security breach.’ No
security was bypassed and no systems were ‘hacked’ by
yours truly. It was a programming mistake of the people in charge
of Wolverine Access,” Oberheide said.

In the e-mail, administrators stated that although students
should not be worried, special attention should be given to credit
card reports and billing statements, in case identity theft may
have occurred.

The University has set up a phone line for students who have
questions or concerns regarding this incident, which is (734)
936-7000. In addition, Green, Peterson and the e-mail recommend
that students visit the Federal Trade Commision website,
www.consumer.gov/idtheft, for more information about identity
theft.

In addition, the University set up a website containing more
information, www.mais.umich.edu/main/wa_051704.html, which includes
a copy of the letter sent out to students and links to other
identity theft resources.

“There’s really not much else we can say at this
time in terms of what you might do. You should always be watching
your credit reports on an annual basis, and that’s just a
wise way of managing your personal finances,” Green said.

Leave a comment

Your email address will not be published. Required fields are marked *