Federal prosecutors today charged a University of Texas student with breaking into a school database and stealing more than 55,000 student, faculty and staff names and Social Security numbers in one of the nation's biggest cases of data theft involving a university.
Christopher Andrew Phillips, 20, a junior who studies natural sciences, turned himself in at the U.S. Secret Service office in Austin. He was charged with unauthorized access to a protected computer and using false identification with intent to commit a federal offense.
Authorities had announced the cyber-theft last week. It sent shock waves through the campus of the nation's largest university, prompting students and staff to consider replacing credit cards and freezing bank accounts. There is no evidence that Phillips disseminated or used the information, officials said.
Phillips was released without bail and will have "limited access to computers," Johnny Sutton, U.S. attorney for western Texas, said at a news conference. "The main message today is that these cases will be taken seriously, these cases will be prosecuted, and this case will be prosecuted vigorously."
If convicted, Phillips faces as many as five years in prison and a $500,000 fine, Sutton said.
After searching Phillips's Austin and Houston residences, Secret Service agents recovered the names and Social Security numbers on a computer in his Austin home, Sutton said. According to the indictment, Phillips wrote and executed a computer program in early March that enabled him to break into the university database that tracks staff attendance at training programs.
"This is a wake-up call to all institutions that use the U.S. Social Security number as their customer ID number," said Dan Updegrove, the university's vice president for information technology. "It's something that all of us have to undo."
The university began in late 2001 to limit its dependence on Social Security numbers as database identifiers, Updegrove said. Within two years, the university will use an electronic identification number that can be matched only to Social Security numbers in a hidden database, he said.
The data theft is probably the biggest ever at a university, said Jay Rosen, director of consumer and victim services at the Identity Theft Resource Center, a nonprofit group in San Diego.
"It's a massive undertaking as to what [the hacker] did," he said, noting that identity theft is a growing problem nationwide. "All I need to steal your identity is your name and your Social Security number."