BU Today

Campus Life

ROTC Computer Files Found in the Public Domain

Technology error exposes personal information


Tracy Schroeder, BU’s vice president for information systems and technology, says the University moved quickly to take the computer off the BU network and secure it. Photo by Vernon Doucette

A file transfer program erroneously installed on a server in an Army Reserve Officers’ Training Corps (ROTC) office at Boston University inadvertently exposed personal information about thousands of people affiliated with the program. University officials say the compromised computer was taken off-line when the breach was identified on July 28; they are working with the U.S. Army Cadet Command to contact every person whose information was placed at risk.

The incident involved information on 6,675 people, say University administrators, 406 of whom are affiliated with BU. Officials believe the rest come from ROTC branches around the country.

Tracy Schroeder, BU’s vice president for information systems and technology, says the University moved quickly to take the computer off the BU network and secure it.

“We have done everything possible to conduct a thorough analysis of the data, notify affected individuals, and identify steps to prevent such accidents in the future,” says Schroeder. “We know that people trust the BU network, and we are committed to maintaining that trust.”

The security breach was discovered at approximately 2 p.m. on Friday, July 28, by Andrew B. Binder, a network administrator for the California-based Alfred Mann Foundation, a nonprofit medical research foundation. Binder, a U.S. Navy reservist who reports that he has been a victim of identity theft twice in recent years, says he was searching the Web for software to help connect to a military Web site when he came upon documents containing personal data.

“I didn’t want to see my brothers go through what I went through with identity theft,” says Binder, who called BU to warn of the vulnerability. He informed James H. Stone, director of consulting services in Information Systems & Technology and a high-technology crime investigator, who took the compromised file server off-line.

An investigation has revealed that the information, which includes social security numbers and some birth dates, had been exposed since last September, when an ROTC member installed a file transfer program on an ROTC server. That installation, conducted without consultation with the University, placed information in the public domain.

Douglas Sears, associate provost and assistant to the president for outreach and special initiatives and director of BU’s Division of Military Education, says he is pleased with the forthrightness of military colleagues, led by Lt. Colonel Scott Williams, a professor and chairman of the Department of Military Science, who worked with University officials to find out what occurred and to address the problem.

“Obviously we are distressed that personal information may have been compromised because of an error within our unit,” says Sears. “The University has moved quickly to address the issue and to make available to possibly affected individuals the appropriate means for ensuring they do not become victims of identity theft. We will work with Vice President Schroeder and her staff to implement controls and procedures that will ensure that information is properly stored, protected, and removed when no longer needed.”

Schroeder says the University has purchased an excellent identity theft protection service to work with anyone whose identity was stolen. A third-party security vendor, Protiviti, Inc., also has been hired to investigate the breach and make recommendations about how to prevent data leaks. She says the University is working with the U.S. Army Cadet Command to send letters to everyone whose information was made available and has notified Massachusetts Attorney General Martha Coakley (LAW’79) and other regulatory agencies.

Art Jahnke can be reached at jahnke@bu.edu.


9 Comments on ROTC Computer Files Found in the Public Domain

  • Anonymous on 08.20.2009 at 2:15 pm

    And so how do I tell if I was effected? Sit around and wait for BU to contact me? It has been a looooong time since I was in the ROTC program at BU I doubt they still have my unlisted phone number.

  • Anonymous on 08.24.2009 at 12:17 pm

    Human error

    The tag line on this article: Technology error exposes personal information – seems to be the wrong synopsis. Per the article, it was a human decision to install file transfer software on an otherwise secure machine that exposed sensitive information.

    I wish they had disclosed the reason the FTP program was installed – Was it another case of someone trying to acquire bootleg songs or software?
    Did they expose their buddies trying to commit what they consider a ‘victimless crime?’ I am just speculating here – I have no knowledge of the incident beyond this article.

  • Anonymous on 08.24.2009 at 1:06 pm

    Just got the letter from BU today, thought maybe it was phishing, guess not. reminds me of the VA scandal that happened a few years back with the stolen laptop. Sure wish veterans could get better protection….

  • Anonymous on 08.24.2009 at 4:07 pm

    Sweep it under the rug?

    Boston University is offering only one year of paid identity protection to the people who were affected by this. So are they supposed to purchase the protection with their own money for the rest of their lives as a result of the carelessness of the University and the ROTC program? Thanks alot.

  • Anonymous on 08.24.2009 at 10:49 pm

    ROTC lacking IT support

    There are no reason why that SVR hold that much of unrelated information. Why do BU ROTC hold other cadet programs information? This is a mess and PMS and ROTC CMD failed to follow the Army G6 guidelines and not doing any IA.

  • Now at Fort Bragg on 08.30.2009 at 11:31 pm

    Army ROTC Command Failure

    As a follow up, Mr. Jahnke can give us a cost estimate of how much BU will be paying for this service? I hope this is coming out of the Army ROTC budget, and will not have an impact on the Navy and the Air Force. Who put the file sharing on the computer, a student or a faculty/army member? Is BU potentially liable?

    The ROTC detachment has been well known as an easy place to access and to use the computers in the basement. The command there regularly allows cadets to leave computers on overnight, access any sites on the internet they want, etc. In the first floor copier room there is a computer that was left on ALL THE TIME (the reason being some nonsensical attempt at creating a “unit server”)! Was this the computer that was compromised or are they still leaving it on all night waiting for the next hacker to break into the system and compromise something else?

    As was pointed out in another posting, the Army can’t even seem to follow their own regulations. Is this the type of “Leadership” example that the Army is providing to BU to train officers? It is laughable. If there is any Army money being spent to fix the problem, perhaps Colonel Williams could contribute a months worth of his pay toward the cause.

    I look forward to a follow up article revealing who installed the software, for what reason and how much the University will have to pay to remedy the situation. It also would be interesting to get an assessment of the potential liability involved.

  • Anonymous on 09.06.2009 at 9:34 pm

    Why did BU even have my info??

    I just got the letter as well. I didn’t even go to Boston U – I went to another ROTC program at a university 5 states away, 6 years ago! Why did they have my information? How did a CADET have access to this information? And what is being done about this cadet’s blatant disregard for OPSEC and plain lack of common sense?

  • Anonymous on 09.09.2009 at 8:23 pm

    BTW it was not a cadet, it was JUNIOR cadre who was responsible. I wonder if he was punished at all…

  • Anonymous on 09.14.2009 at 10:39 am

    How did the student get admin access to install the program?
    Who is responsible for review of the server event logs?
    Most importantly, WHY wasn’t the data encrypted?

Post Your Comment

(never shown)