The Community College of Southern Nevada is warning nearly 200,000 current and former students that their names and Social Security numbers might have been stolen using a computer virus, though officials say it's "highly unlikely" that anything was stolen at all.
"We don't believe anybody's identities were really stolen," CCSN President Richard Carpenter said. "But we would rather err on the side of caution."
Carpenter said a computer virus was detected in late February on one of the college's two servers that stored students' names, Social Security numbers and dates of birth.
An internal investigation couldn't find any evidence that the information had been accessed or downloaded by the virus during the four days while it was on the server, Carpenter said. The server later was sent to a third party that came to the same conclusion.
At a cost of $89,330, CCSN mailed letters Thursday to 197,518 current and former students dating to 2000, warning them about the possibility that their identities may have been stolen.
No faculty information was on the server, Carpenter said.
Personal information such as Social Security numbers, names and credit card numbers can be used to commit fraud and other crimes in the name of the person whose information was stolen. The information can be used to rent an apartment, establish a telephone account or obtain a credit card.
The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year.
The hacker attack was the first in the college's 35-year history, Carpenter said.
Staff in late February noticed irregular activity on the server during routine maintenance and discovered that it had been accessed by an outside source, according to Shah Ardalan, chief information officer for CCSN's Office of Technology Services.
Staff immediately unplugged the server, but the extent of the damage remains unknown.
Carpenter said officials couldn't be "100 percent certain" that nobody's information was accessed.
The nature of the virus also was unknown, although Ardalan suspected that it was an automated virus that implants itself on servers in an effort to steal or store information.
Ardalan said such hacking is common, adding that most users of personal computers or data servers where the activity is occurring are unaware that it's going on.
"Any kid from Taiwan can be running this," he said. "They're just sitting somewhere overseas, scanning (computer) ports and entries" on Web sites.
He said the motives of the person who accessed the server could be as malicious as trying to steal people's information or as innocent as bragging to his friends that he hacked into a college server.
The college since then has stopped storing Social Security numbers on its servers and is undergoing a $1.5 million effort to centralize all of its 180 servers in one secure area, a project that was in the works before February and is scheduled to be completed by Sept. 1.
Because of federal reporting requirements, the college requires that students submit Social Security numbers when they apply to the college.
But students use only their student ID number, which CCSN calls a "C" number, from that point on in their college career.
The server that was attacked will store only students' ID numbers and their names from now on, Carpenter said. If a hacker obtained a student's ID number, the worst the hacker could do would be check out a library book without the student's permission, he said.
Social Security numbers for CCSN students now are stored only on Nevada System of Higher Education servers, Carpenter said.
University and college servers have been popular targets of hackers.
CCSN came under attack again when a former college employee hacked into the college's Web site about two months ago and deleted some faculty data, officials said.
CCSN Police Chief Sandy Seda said his department obtained a search warrant last week and seized several computers and equipment believed to have been used in the attack.
He said he couldn't provide more information until he decides whether to recommend that the district attorney press charges against the individual.
The later attack is believed to be unrelated to February's incident.
In 2005, a hacker invaded a University of Nevada, Las Vegas server containing the records of as many as 5,000 former and current UNLV international students. The FBI still is investigating the case, and nobody has been charged in relation to the crime, according to Lori Temple, UNLV's vice provost for information technology.
That same year, hackers gained access to a database at UCLA that housed the personal information of about 800,000 current and former students, faculty and staff in what was regarded as one of the largest computer security breaches at a U.S. university, according to the Los Angeles Times.
Presley Conkle, a former CCSN student body president who is scheduled to graduate on Monday, said it was "scary" that his information was on the server but added that he wasn't too worried about it.
He said he could understand if his peers felt differently about the possibility of having their identities stolen.
"This is when they're going out into their lives, they're just starting out, and they don't want credit problems," he said.