Another article about a university's system being compromised by a malicious hacker. According to this article, released today, UNC-Chapel Hill has started informing about 163,000 women that their Social Security numbers and other personal information may have been compromised in a security breach that occurred in the University's School of Medicine server; this server was holding the records of about 236,000 women whose information was gathered as part of a federally funded mammography research project.
According to UNC's chairman, Matt Mauro, signs of the breach were first noticed in July by a researcher who had difficulty in accessing the server. Mauro also mentions that the actual breach may have occurred as far as two years back, when they had first discovered some viruses in their systems in 2007. UNC took the server offline when the breach was discovered in July, and the server has remained offline since then, while the university continues to take precautionary measures in order to avoid future breaches.
The university explains that notifications of those potentially affected by the breach have only begun now because the appropriate parties (and authorities) needed adequate time to find out how serious the breach was, as well identify the potential victims of this breach. UNC also reports that they do not believe that the attackers have "downloaded or modified the data in any way."
Fortunately. But who knows if that will remain the case for long.
I think that the breach was due to the viruses that were discovered back in 2007; this article did not address as to how or if the university had taken any action to remedy the affects of this discover -- which I certainly hope it did. Also, I have to question the security measures that the university has protecting its systems, such as the proper firewalls and antivirus soft wares, etc. Hopefully they do regular updates to make sure that they are protected, as these viruses and becoming more sophisticated everyday. Again, this article does not provide a lot of details about the nature of the breach, or the viruses, which makes me wonder if the problem came from a virus that they weren't able to clean out from the system when they first found a few of them two years ago. As for who may have wanted to break into this system, I am not sure; it really could have been anybody, and the university has not been able to track them, either.
In spite of the reasons provided by the university with regards to its delay in notifying the potential victims of this breach, I am still surprised that it took them so long to do so. While I understand that UNC wants to have a good idea as to how severe the breach may have been in order to avoid any additional and unnecessary panic or distress to any of the potential victims, they certainly knew that they had been breached and I think that they could have informed all those who had any chance of being affected in a much more timely manner. So, all those 236,000 women. This way, these women, who run a high chance of being subject to identity theft, would be aware of these dangers and could keep an eye out for anything suspicious in their financial records (for example). I think that the university has a duty to make sure that they are protecting the interests of the people whose information they are holding, and I think that informing the potential victims as soon as possible (from the time that the event of the breach was first confirmed) would have been part of that duty.
Source: http://news.idg.no/cw/art.cfm?id=F5CF8FE9-1A64-6A71-CE25FB1B13C666EE
Saturday, September 26, 2009
Subscribe to:
Post Comments (Atom)
Posts
I am very curious of the specific details of this data breach. It seems like there are very many holes in the information. I wonder what precautions they took after the 2007 attack on the system. If they were aware of a virus back then, did they take the necessary steps to secure the system for the future? Also, if I were one of the women affected by this data breach, I would have wanted to know right after the breach occurred. UNC said they waited to inform those affected in order to see how "serious the breach was". If my personal information were stolen, I would want to know immediately.
ReplyDeleteAs a student at a high profile university, this article makes me very cautious as to what information I supply the university. If they wanted hackers could access my cell phone number, social security number, personal information, and lots of other information that could be used in identity theft or identity fraud. This also shows the importance of having up to date virus software and consistent firewall protection. Being a university, it is important for officials to record and consistently monitor who is accessing the system. Due to the fact that students constantly access the servers, it is important to make sure that no malicious software that will compromise any personal information of the students will be established into the main servers of the university. Universities have the obligation to protect all personal information of the students and need to supply them with a sense of security. I feel as though Notre Dame does an excellent job at securing personal information, and if anything were to happen, would disclose what type of security breach did occur.
ReplyDeleteUniversities, companies, and other organizations often write off failing to notify potential vicitms of security breaches with the excuse that they needed more time to pin down the details of the breach. I don't understand this logic; if Notre Dame's information systems were compromised I would rather be notified as early as possible that my information had been potentially stolen only to find out later that it was not than told months after the fact that my information had been stolen without a doubt. The former policy would prevent any further damage because I could monitor my information while the University conducted its investigation.
ReplyDeleteI too would prefer be told that my identity may have been compromised and then later find out that it wasn't than to not be told for months or even years. It is surprising that the virus attack happened in 2007, and they are just now reporting the breach. While it is understandable if they didn't realize data had been compromised, they still should have informed people sooner.
ReplyDeleteIt seems like again and again we are coming across cases where there is a very long delay between finding out about a breach and reporting it. The general consensus of the class seems to be that they really need to speed up this process. I would assume most people in the general population feel the same way. Companies and institutions are busy trying to cover their own tracks while they should be erring on the side of caution in terms of letting their customers or people know if their identity might have been compromised.
That is surprising that UNC took so long to inform people about it. It makes me wonder if it is also an issue with the population of campus. Comparing it to Notre Dame, I have not heard of a large scale attack that was not taken care of. Of course, we have a smaller population. The situation also makes me wary of the fact that when you are participating in a study or project, your information can be compromised, even by someone else that is not yourself.
ReplyDeleteEveryone is trying to say that they would rather be informed earlier rather then later. I think you have to look at the other side. The university wants to make sure that there is a data breach so that they aren't creating panic among the people affect. I could just see the news tackling a story where a big time university looks like a joke because they thought that there was a breach when there wasn't. I think that if that happened people would still question the university and that there will always be a question on how quickly they could have notified the people affected.
ReplyDelete