Okay, maybe there's still something to this whole college thing. But former students at the University of Hawaii may be feeling otherwise.
The Social Security numbers, grades, disabilities, names, phone numbers and other personal information of more than 40,000 University of Hawaii students who attended from 1990-1998 and in 2001 were posted online for nearly a year before being removed this week.
A whole year? Yes. And the guilty party happens to be a member of the faculty.
The currently retired faculty member inadvertently uploaded files containing the information to an unprotected server on November 30, 2009. He was using the data to study the success rates of Manoa students. Well, if any of them were victims of identity theft and lost money, I think he might need to go back through his data and control for a certain extraneous variable- himself- before publishing any results. In his defense, he said he thought the server was secure.
Again, just like we saw in the CareGroup case study, someone with just enough information and knowledge to do damage caused a disaster. But unlike Halamka, the University of Hawaii doesn't seem to be willing to adopt new standards and make the investments necessary to prevent these kinds of disasters from happening again: "The incident is the third major information breach in the UH system since last year. Each time, university officials promised it was strengthening its network systems and working to identify other potential security risks," according to the Associated Press.
Aaron Titus, the information privacy director of Liberty Coalition, a Washington-based policy isntitute was the one who notified UH of the exposed files on October 18th. On the University's response to the disaster, Titus argues the university's claim that it has no evidence of the malicious misuse of the personal information is misleading, "Of course they don't have any evidence of misuse, because the bad guys wouldn't tell them if they had."
I'm curious to see what we hear from the victims of this "accidental disclosure." I wonder what the damage will be as these former UH students come forward.
Friday, October 29, 2010
Subscribe to:
Post Comments (Atom)
Posts
In this incident, it seems that the two main causes of the security breach were the employee's ignorance (regarding security measures) and the university's lack of security awareness.
ReplyDeleteAs Cristin mentioned, this is similar to the CareGroup case, in which one employee has the potential to individually cause a security breach. However, in this case, it would be unreasonably inefficient for more than one person to work on such a project just to ensure security checks and balances. However, I argue that any individual that has access to information of this size and sensitivity should undoubtably have sufficient knowledge of information security and its potential threats.
Additionally, had the university been more conscious of their security measures this would have been easily avoided. Either they would require any IT personell to understand information security, have someone to regularly check the security of their sensitive systems, or simply have stricter procedures regarding their information security. It is clear that this university (and others, I would imagine) lack true security awareness and therefore do not adequately protect their information. This is also evident from the fact that this was the third major security incident at UH in the last year!
It is becoming increasingly clear, through the multitude of situations like this case at UH, that it is very important for every organization of any size to secure their sensitive information. As technology is progressively defining so many aspects of our life, security should become an equally defining factor.
I agree with PK and Cristin that one of the main causes of this breach is due to an employee that "knows just enough to hurt you", but the most alarming part of the article to me is this quote -
ReplyDelete"The incident is the third major information breach in the UH system since last year. Each time, university officials promised it was strengthening its network systems and working to identify other potential security risks."
PK also touched on this point, but I cannot imagine an excuse that the UH IT department would have for this. This is there third breach in a year. They need to learn from their mistakes and update their IT department (and install a serious attitude around it).
It shouldn't even take a breach of an organization, school, or business in order for them to focus on information security. They should learn from their peers and as PK stated, "As technology is progressively defining so many aspects of our life, security should become an equally defining factor."
This security breach really speaks to the idea of trusting one individual with private information and how our society has become very dependent on this trust. I feel, as has been stated, that the more and more we rely on technology the more and more we also need to be researching and developing security techniques to match. When we give so many people so much sensitive information, there is the idea that it will come back and be harmfully used but at the same time we need to do as much as possible to not allow this to happen. The IT department needs immediate upgrades and assistance in assessing employees and their authorization stances.
ReplyDeleteI definitely agree with what kflynn5 said above about trust. Throughout the day we entrust so many different people and organizations with our personal information: our schools, our banks, our doctor's offices, our employers, our government, and countless others. With society's ever increasing reliance on technology we often don't really have a choice in trusting these organizations. If we want to be seen at a doctor's office or enrolled in a school, we have to provide them with our personal information. I usually do this without thinking twice. This case,however, caused me to think a little bit more about all of the organizations that have my personal information. What really struck me about this case was the fact that information had been posted about people who had attended the university all the way back in 1990, which was 20 years ago. It is a little troubling to think about all of the organizations that have my personal information over 20 years... my preschool, my elementary school, my high school, etc. I'm sure there are many that I don't even remember. This case demonstrates that we should consider carefully who we give our information to, and how much we give them.
ReplyDeleteI also agree with the relevance to the CareGroup case study and how dangerous it is for one person to have access to all of this information. If someone does have this sort of power, they should at least be trained and responsible to ensure the security of it. Although it is unclear to me as to where this faculty member’s study was being performed it seems if they were able to access this private information and load it on an unsecure network, that perhaps the faculty member was working off-campus. I say this hoping the UH works with a secured network, although, looking at their breech history this might not be the case. For me this case also seems similar to the breech at Veterans Affairs. It is relevant because I am assuming the faculty member was able to take the information offsite which was a problem in the VA case because the employee’s laptop was stolen. In this case, information was negligently revealed through an unsecure network when if it could have been restricted to on-campus-use-only then the problem may have been avoided. Just as was seen in the VA case, if the information should be allowed to leave the secure site, it should be encrypted so that this breech of information cannot happen.
ReplyDelete