Intruders who broke into the School of Law Web site may have accessed the Social Security numbers of more than 1,400 applicants, officials reported Tuesday.
The incident is being investigated by Duke and Durham law enforcement after a law school webmaster discovered that the site had been illegally accessed Nov. 29.
The breached site contained information from prospective applicants who requested materials from the admissions office, including the Social Security numbers of some.
"The security and safety of our community is of utmost importance to us," wrote William Hoye, associate dean of admissions for the law school, in an e-mail to the affected applicants. "Duke University works hard to protect the personal information of prospective students and other community members. We are taking all possible steps to address this breach and prevent it from happening again."
It is unclear if the intruders actually acquired any of the materials, said Melinda Vaughn, executive director of communications for the School of Law.
Unauthorized links began to appear on the site around 3:30 p.m. Nov. 29, and the site was moved offline immediately after. By Friday morning webmasters had removed the errant links and reinstated the site.
Continued scrutiny, however, revealed that the breach included a server containing sensitive applicant data and the site was once again taken down the morning of Dec. 1. Officials then notified the affected students by e-mail, providing information to help the applicants monitor their credit and prevent identity theft.
Law school administrators also set up a special phone line and e-mail address to provide support for those impacted.
Vaughn said an inquiry into the identity of the hackers is ongoing but University officials "have some ideas."
"We do have a sense of what happened and how the intruders got into the site, but it's still being investigated," she said.
Another site containing data on current applicants, including home addresses, phone numbers, e-mail addresses and site passwords, also may have been accessed.
The second server did not contain any Social Security numbers. Affected applicants were also contacted Tuesday by e-mail and advised to change any passwords they had on other sites that were the same as the one used on the Duke Law site.
As a precaution, the law school will overhaul its application status-tracking page in order to eliminate the need for a password, Vaughn wrote in an e-mail to students and professors Tuesday. She added that the database containing Social Security numbers has also been permanently recalled.
The law school's Web site, which has been offline since Dec. 1, is expected to be reinstated Tuesday night or Wednesday morning, Vaughn added.
Data on current students, alumni and law school employees are stored on another server and were not accessed by the intruders.
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.