At about 9:30 a.m. on Jan. 3, Curtis L. McNay was performing his daily morning maintenance check on George Mason University's computers.
McNay, who manages some of the university's computing systems, could tell from data streaming across his monitor that someone was trying to break into a database by entering password after password. The intruder had already penetrated one of the university's computers and was apparently looking for a back door into another of GMU's 130 other servers, which store information including students' grades, financial aid and payrolls, according to Joy R. Hughes, GMU's chief information officer.
It was the first sign of a serious security breach at Virginia's largest university. The university said it took almost a week to confirm the nature of the electronic break-in. It then sent an e-mail on Jan. 9 warning its 32,000 students, faculty and staff members that they could be vulnerable to identity theft or credit card fraud.
The compromised computer held a massive cache of information, including names, Social Security numbers, university identification numbers and photographs of everyone on campus.
The university and authorities said yesterday that they were still working to determine who broke into the campus system, how it was done and how much valuable information was stolen. Authorities said they were investigating whether basic computer protections were in place and operating on the computer that was attacked.
On Tuesday, the university handed over the hacked computer -- a Windows 2000 server -- to the Fairfax County Police Department. The police and the FBI were running forensic tests, looking for electronic clues to the hacker's identity. GMU is only the latest campus to be hit by a hacker. In the past two years, similar attacks occurred at the University of Georgia, the University of Texas at Austin, the University of Missouri at Kansas City, the University of California at San Diego, and the University of California at Berkeley.
University campuses present a particularly inviting security target, experts say, because their systems house large amounts of personal data. But protecting the information is more complex than for a typical business because universities are built to foster collaboration and free exchange of information.
"This meant few policies, few restrictions" on how computer networks were to be accessed and used, said Rodney J. Petersen, security task force coordinator for Educause, which works on information technology issues for about 2,000 higher-education institutions. "But our greatest strength is now a weakness."
Some schools are beginning to use software to scan individual computers before they are allowed to connect to campus networks. Others are setting up multiple smaller networks that house sensitive data, keeping them separate from the main networks. And campus officials are more actively monitoring network activity.
GMU is looking to take those steps as well, said Daniel L. Walsch, a spokesman for the university.