Language Selection

English French German Italian Portuguese Spanish

Tufts warns of security breach

Filed under

Alumni of Tufts University in Boston have been notified that personal information stored on a server used by the university for fundraising could have been exposed to intruders.

The university detected a possible security breach in an alumni and donor database after noticing abnormal activity on the server in October and December. The server was managed by a third-party vendor, according to a statement on Tufts' Web site. The incident is almost identical to a breach in March on a fundraising system used by Boston College and follows reports of other information theft incidents in recent months at California State University, Chico, and the University of California, Berkeley.

As a precaution, Tufts sent a letter on April 7 to 106,000 alumni and donors who could be affected by the breach. Tufts said it did not have any evidence that the information stored in the database was retrieved or misused, said Betsey Jay, director of advancement, communications and donor relations at Tufts.

The system in question belongs to the university but was running software from and being managed by RuffaloCODY, a software company in Cedar Rapids, Iowa, that assists nonprofit organizations with fundraising, membership and enrollment. The server was being used to support the university's Advancement telefund operation, in which students are paid to call alumni and other donors to solicit gifts for the university, Jay said.

Tufts detected a high volume of unusual behavior on the system that indicated it might have been used as a distribution point in a file-sharing network. However, university IT staff were not able to confirm that any sensitive files were copied or that there was misuse of information on the system, Jay said.

Tufts did not initially disclose the security breach but was prompted to do so after coverage of other recent security breaches, Jay said. "We started to realize that what we had seen wasn't confirmation of misuse but that we should give donors and alums the information [about the breach] as a precaution," she said.

In its letter, Tufts recommended that recipients of the letter notify their bank and ask credit bureaus to issue fraud alerts and check for any unusual activity in their name. The university also set up a toll-free support line to assist individuals whose information may have been compromised.

In March, Boston College notified 120,000 alumni that their Social Security numbers and other personal information might have been compromised. As with the incident at Tufts, that notice followed the discovery of a security breach on a third-party server that the university was using for fundraising.

BC is also a RuffaloCODY customer, according to information on RuffaloCODY's Web site. Both Tufts and BC are listed as customers of the company's CampusCall product, which is described as a phonathon automation tool. Other universities in Boston use the product as well, including MIT, Northeastern University and Harvard University Law School. However, Tufts and BC are both listed as managed sites while the other schools are not.
Calls to RuffaloCODY were not immediately returned.

The University of Massachusetts campus at Lowell is listed as a RuffaloCODY managed site as well, according to the company's Web page.

Jim Packard, an IT security specialist at UMass Lowell, said he has seen signs on campus that mentioned RuffaloCODY, but he wasn't sure whether the company operates a managed server on the campus. Calls to the UMass Lowell alumni office were not immediately returned.


More in Tux Machines

Software: Corebird, RawTherapee, LVFS and More

Red Hat and Fedora: Red Hat Enterprise Linux 8 Alpha, Results Imminent, Fedora Atomic Workstation and More

Ubuntu and Mint Leftovers

  • Ubuntu 18.04's Automatic Suspend Shows Linux Suspend Can Still Be An Issue In 2018
    One of the subtle changes that seemed to have been made during the Ubuntu 18.04 development cycle is automatic suspend now being enabled by default on desktop systems. Automatic suspend is flipped on with Ubuntu 18.04 desktop after a twenty minute delay of being idle, at least on several systems I've been running the daily Bionic Beaver with this month.
  • Bid “bonjour” to our Bionic Beaver!
    Along with a sneak preview of our official Bionic mascot, it’s a short update this week as we’re all heads-down in bug fixing mode. There are a couple of links to check out if you’re interested in what sort of data we want to collect about hardware and setup, with links to the source.
  • MintBox Mini 2
    Based on the Compulab Fitlet2, the new Mini is just as small as the original MintBox Mini and the MintBox Mini Pro but with much better specifications, better performance and a few more features.

Android Leftovers

  • Android tips and tricks: 10 great ways to boost your phone experience
  • About the privacy of the unlocking procedure for Xiaomi’s Mi 5s plus
    First, you got to register on Xiaomi’s website, and request for the permission to unlock the device. That’s already bad enough: why should I ask for the permission to use the device I own as I am pleased to? Anyway, I did that. The procedure includes receiving an SMS. Again, more bad: why should I give-up such a privacy thing as my phone number? Anyway, I did it, and received the code to activate my website account. Then I started the unlock program in a virtualbox Windows XP VM (yeah right… I wasn’t expecting something better anyway…), and then, the program tells me that I need to add my Xiaomi’s account in the phone. Of course, it then sends a web request to Xiaomi’s server. I’m already not happy with all of this, but that’s not it. After all of these privacy breaches, the unlock APP tells me that I need to wait 72 hours to get my phone to account association to be activated. Since I wont be available in the middle of the week, for me, that means waiting until next week-end to do that. Silly…
  • You Can Now Try Android Games Without Downloading Them
    Tired of downloading games only to realize they suck? Google Play Instant might mean never doing that again.
  • Plex for Android Will Soon Let You Cast Your Own Videos to Chromecast