A university server containing the names and Social Security numbers for 38,941 students, staff and faculty has been hacked multiple times for almost a year, UAF announced Thursday.

Police and UA computing officials are investigating the break-in, which occurred at a server based at the Kuskokwim Campus in Bethel. The university is sending emails and letters to anyone listed in the files.

At a press conference, Steve Smith, chief information security officer at UA, said the probability that personal information was violated is slim. But the university needed to alert people to the situation, he said.

"We have no indication at this point that those files with personal information were copied or manipulated or in any other way compromised," Smith said. "On the other hand, we cannot determine definitely at this point in time that they were not touched by the individual or individuals who compromised this system."

UAF and Bethel police are examining the computer in cooperation with the UA Office of Information Technology for evidence that might lead to an arrest, said Sean McGee, acting police chief.

"What we've been able to do here is coordinate our efforts with the offices that Steve [Smith] represents, and, between the two of us, conduct this detailed examination of the computer itself," McGee said.

Hackers accessed the server multiple times from February 2005 to January 2006, UAF says.

University officials caution that in all likelihood the hackers probably used the servers for something other than identity theft, such as providing space for illegal file sharing, but UAF does not want to take any chances.

The server had contained two files containing information for current and former UAF and UA employees. Information on one of the files dated back to at least 1995. The other smaller file contained user IDs and passwords for Bethel students and employees.

The Office of Information Technology sent an email and letter Thursday to any students and employees listed in the files.

"Please accept our sincere apologies," the email from Smith says. "This is a serious issue for us, and we know it is a serious concern for you."

UAF has valid email addresses for only about two-thirds of individuals on the files, Smith said, and it has the last known mailing addresses for almost everyone.

This is not the first time UAF computers have been hacked. UAF had 342 confirmed computer intrusions in 2005, according to quarterly incident reports.

This most recent attack raises questions about how well the university is protecting its student, faculty and staff IDs.

UAF began assigning students and employees ID numbers in fall 2004 after concerns were raised about using Social Security numbers as identifiers. However, Social Security numbers still work for several university databases, including UAOnline.

"We're going through and cleaning those up now," Smith said.

This latest incident began to come to light on March 30 when a Kuskowim Campus computer technician called the Fairbanks help desk after discovering an anomaly on the server. The university assigned a technician to the problem April 3.

Computer officials identified the incident as a possible security concern April 5. Security technicians conducted a forensic scan of the server and discovered an unauthorized file-transferring program running. The university's lawyers were then engaged, Smith said.

Smith said he learned about the incident April 7.

"We had not detected this earlier because there was no unusual activity taking place on the server that would draw attention to it," Smith said.

UAF says it immediately shut down the program and closed the server after the personal information files were discovered. The university then checked to ensure the UA network system was secure.

"We believe this is a single incident that did not spread to other university systems," Smith said.

The Office of Information Technology began a more thorough analysis of the server April 11. The analysis is ongoing and could take several weeks, Smith said.

Why the Bethel campus, which has a student population of less than 500, had 38,941 individuals' information remains under scrutiny, Smith said.

The larger file was used to authenticate people, Smith said. It's probable that a Fairbanks technician gave Bethel staffers the file to ease the task of credentialing of visiting Fairbanks students and staff, he said.

Smith called that "wrong."

A search of the university network system found four other files listing student and personnel names and Social Security numbers together. The university shut off access to those files completely, Smith said.

Nick Thompson, a natural resource management major, said although he's worried, he doesn't have any credit cards to steal from.

"If I had more to worry about, I'd look into it more," he said.

Rob Exley, a history and philosophy double major and an ASUAF senator, said he's not too concerned.

"It's kind of spooky, but with the number of people on the list, the odds of them using mine are pretty slim," he said.

Coincidentally, on March 31, the Office of Information Technology disabled the UAF Finger Gateway, a site historically used to look-up university email user names, according to an outage work order.

UA General Council requested the deactivation, the document says, because the database provided public access to student information protected by the Family Education Rights Protection Act.

UAF officials, concerned people might try phishing for student and employee information, stressed that it will be sending only one letter and email about the incident. It will never ask to confirm contact or personal information, they said.

For more information, go to http://www.uaf.edu/security/ or call 1-888-331-8003.