Related articles:

UA computer systems vulnerable to attack, report says

Other articles by Howard Fischer:

Governor: Return Guard troops to border Gov's possible exit puts budget fix in flux Brewer could bring clear rightward tiltNew jobless claims hit 30,000 Jobless rate Gov. calls for more funding of public works If 'SNL' spoof means you've arrived, then Napolitano has Napolitano keeping her options open Atty. general job apparently won't go to Napolitano Holiday meal costs rise again

General
GROUNDS CONTROL
LANDCAPE FOREMAN & LABORERS Retail
TOTAL WINE & MORE
WINE TEAM MEMBERS, CASHIER & STOCK MEMEBERS General
Prestige Maintenance USA
Area Manager Dental
Apache Dental
Porcelain Techs Health Care
Carondelet Foothills Surgery
Pre-Op Nurse Health Care
SOUTHERN ARIZONA ENDODONTICS I
NSURANCE PROCESSOR Health Care
Freedom Manor
Caregivers

PHOENIX — The computer systems at all three state universities are vulnerable to online attacks and hacking, the state Auditor General's Office has concluded.

In a report released Friday, Auditor General Debbie Davenport said her staff was able to access sensitive information in university computers by exploiting weaknesses in their security systems.

Davenport said auditors selected 35 of 205 significant Web-based systems for testing. All of those applications, she said, had commonly found security weaknesses.

From that list, auditors checked six to find out exactly what someone with unauthorized access could do.

In one case, Davenport said, her staffers were able to obtain more than 10,000 records that included names and Social Security numbers. They also accessed other records with student and employee identification numbers, addresses, phone numbers and e-mail addresses.

"These flaws could also be used to modify and delete data in the databases," Davenport reported.

In two other cases, she said auditors were able to access "high-level accounts" in which someone could not just view, but also change, sensitive student and employee information.

And Davenport said staffers found flaws in several applications that would allow unauthorized users to attack the computers of others using the system. She said these flaws can be used to take over accounts and install malicious software.

Davenport declined to provide specific information about the weaknesses, saying she is sharing that only with university officials.

But she said the flaws found in these six systems "are likely to exist in other university Web-based applications," including those that have driver's-license, credit-card and financial-aid information.

She said the problem is more than academic: Attackers traced to foreign countries accessed computer systems at the University of Arizona in 2006 and again last year.

Davenport said there was no evidence that data had been stolen. But she said the 2006 event disrupted the journalism department and the one last year disrupted a procurement system, university library services and a system that processes payroll and meal plans.

"Some services were shut down for several days to restore affected computer systems," she said.

Davenport said all three universities need to develop plans to conduct regular security assessments of their Web-based applications. And she said Web-based servers need to be updated and maintained regularly to keep track of and react to potential new threats.

In written responses, the presidents of all three universities said they agreed with the findings in the report and have put changes in place or are working to implement them.