U.S. port officials were alerted Wednesday after Kansas University officials discovered a computer hacker downloaded personal information the university had collected on 1,450 international students as part of new homeland security measures.
The FBI said agents would be on campus today to begin investigating the data theft.
"We intend to find out who did this," FBI Special Agent Jeff Lanza said.
The breach, which was discovered about noon Wednesday, raised concerns someone might use the information to enter the United States illegally.
International students were outraged about the breach of security.
"Oh my God," said Cindy Yeo, a junior from Singapore, when told of the data theft. "Here we are giving up everything because of all this terrorist stuff, and suddenly somebody has access to all of my personal information?"
Wilson Yeung, a junior from Hong Kong, had another concern: "What if they use that information for a terrorist attack? That would be so bad. I'd be in trouble."
The files, which were stored on a computer in KU's Academic Computing Center, were test files for the Student and Exchange Visitor Information System, which will allow universities to transmit information on international students to the Immigration and Naturalization Service beginning in August.
The files included student information such as Social Security numbers, passport numbers, cities and countries of origin, KU identification numbers and programs in school.
KU enrolled 1,677 international students last fall. Enrollment totals for the spring semester were not available. KU officials said that because the file was a test, it was possible a few student histories included in the purloined data weren't those of international students.
KU officials contacted the FBI and INS Wednesday afternoon.
Lanza, the FBI agent, declined further comment on the incident. Officials of the INS, who KU officials said had notified ports of entry about the situation, couldn't be reached for comment Wednesday evening.
Marilu Goodyear, vice provost for information services at KU, said the hacker had illegally used the KU computer five times between Jan. 6 and Friday, when the SEVIS database files were downloaded. In the previous incidents, the hacker used the computer to distribute copyrighted movies and pornography, she said.
Goodyear described the problem as a "hole" on the computer's security system that could allow a "medium-expert hacker" to break into the computer. She attributed the problem to Microsoft Windows, not the SEVIS software.
"The server was secure when it was installed," she said. "We were installing a security upgrade to the system when a hole we had fixed reverted to its original state."
KU's international students were notified of the hacker by e-mail Wednesday night. Goodyear pledged to help protect students from identity fraud.
"We regret this," she said. "We're very sorry the hacker chose us. We're sorry this is an element of their life they have to deal with."
Several international students questioned whether KU was protecting their personal information.
Yeo said student fees for KU international students had increased $50 this year to help pay for the SEVIS system.
"They raised school fees to put in the program, and this is what we get for it?" she said. "Having all our information given out?"
Yeung said he discovered this week that someone had made about $700 in online purchases from his debit card beginning Jan. 18, the day after the hacker downloaded the file.
Goodyear said that card numbers weren't available in the database, so it's unclear whether the incidents were related.
"That's really bad," Yeung said. "That information should have been kept in a safe place."