What You Post Online Could Be Used To Determine Your Mental State

Elizabeth Martin, a researches in the Psychological Science department at the University of Missouri recently completed a study of social networking usage. Martin concluded:

"Therapists could possibly use social media activity to create a more complete clinical picture of a patient... The beauty of social media activity as a tool in psychological diagnosis is that it removes some of the problems associated with patients’ self-reporting. For example, questionnaires often depend on a person’s memory, which may or may not be accurate. By asking patients to share their Facebook activity, we were able to see how they expressed themselves naturally. Even the parts of their Facebook activities that they chose to conceal exposed information about their psychological state.”

Martin had study participants -- about 200 college students -- print out their Facebook activity, and then:

"... correlated aspects of that activity with the degree to which those individuals exhibited schizotypy, a range of symptoms including social withdrawal to odd beliefs. Some study participants showed signs of the schizotypy condition known as social anhedonia, or the inability to experience pleasure from usually enjoyable activities, such as communicating and interacting with others. In the study, people with social anhedonia tended to have fewer friends on Facebook, communicated with friends less frequently and shared fewer photos."

According to Mashable:

"The idea for the study came through a conversation between Martin and the second author, Drew Bailey, who doesn't have a Facebook profile. A discussion arose about profile content and its correlation to psychology."

If therapists and psychologists believe that can tell a person's mental state from their posts on social networking websites, then it is appropriate to assume that other professionals (e.g., insurance, human resource professionals) will also want access to social networking profiles. In other words, some social networking websites may view this as a potnetial, new revenue stream. Credit reporting agencies already want access to consumers' social networking profiles to enhance credit decisions. And in some instances, courts have ruled that your social networking activity can be accessible during a lawsuit.

 

Massive Data Breach At Northwest Florida State College Affects About 300,000 Persons

Last week, officials at Northwest Florida State College (NWFSC) announced a data breach that affected more than 275,00 persons. The affected persons include about 76,500 current and former students, 200,000 Bright Futures scholars, and 3,200 employees.

The breach occurred between May 21 and September 24, 2012, and included the unauthorized access of one of the school's computer servers.The sensitive personal data exposed/stolen includes full names, addresses, birth dates, and Social Security numbers. The Bright Futures persons affected include students during the 2005-06 and 2006-07 academic years. The data exposed/stolen about Bright Futures students includes full names, birth dates, Social Security numbers, ethnicity and gender. NWFSC announced that no student academic files were compromised.

The data exposed/stolen about employees included full names, Social Security numbers, birth dates, banking direct-deposit account numbers, addresses, phone numbers, and college email addresses. A breach investigation is ongoing, where NWFSC has hired an unnamed technology consultant, and is working with local law enforcement. According to a press release:

"The college is coordinating its efforts with the Division of Florida Colleges in the Department of Education to formally notify all students impacted by the data breach."

Northwest Florida State College has contracted with an external consultant, to ensure the college’s data remains safe and secure. Further, the Okaloosa County Sheriff’s Office cybercrimes unit continues to investigate the matter with assistance from the Florida Department of Law Enforcement.

NWFSC advises affected persons:

"... individuals who notice improper use of their Social Security number and believe they may be the victim of identity theft should contact the Federal Trade Commission at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Affected persons may also call the local sheriff’s office and file a police report of identity theft, keeping a copy of the police report."

In an Oct. 8, 2012 memo to employees (Adobe PDF), NWFSC said:

"... one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees..."

The memo to employees outlined three specific identity theft and fraud actions by the thieves:

"The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card..."

Given this active identity fraud, both students and employees should take the threat seriously, and take immediate actions to check their credit reports at the three major credit-reporting agencies; and place a Fraud Alert or Security Freeze if appropriate. Plus, NWFSC should offer breach victims free credit monitoring and resolution services for at least two years.

PlaceRaider: Part Of The New Class Of 'Visual Malware'

You may remember news stories during past years where thieves used the Google Earth service to find buildings with valuables on the outside -- roofs made with precious metals, so they could return at night to steal the metal and resell the stolen goods for a profit. Now, imagine a scenario where thieves take over the camera in your smart phone (or tablet) to find valuable items inside homes, to return later when you are away or at work to steal the items they remotely recorded on video.

This sounds like science fiction, eh? Or maybe a fictional episode of NCIS?

Well, it's not science fiction. It's science fact, and the software is available today.

A reader alerted me to an article in Technology Review about PlaceRaider, an Android app already created to secretly record via the victims' mobile devices their personal spaces. With the secretly recorded video, the user can create a three-dimension virtual model of the recorded space:

"... Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information... the malware would be embedded in a camera app that the [victim] would download and run..."

The military applications of this are obvious. It's a stealth method to gather intelligence by recording the battlefield (or urban landscape) before the battle by using malware installed in the enemy's mobile devices. An accurate 3-D virtual model, complete with tools and papers lying about, would enable military officials to plan a more effective and efficient attack -- and know ahead of time what documents to look for and to capture.

An app like this in the hands of identity criminals would be equally devastating. It could secretly record a victim's home office, small business office, doctor's medical records storage area, or similar sensitive interior space. Did you leave credit- or debit cards lying about on your desk or bedroom dresser? PlaceRaider could record the account numbers lying exposed. Did you leave your online banking screen open on your desktop computer monitor? PlaceRaider could record that, too.

Meanwhile, what's a consumer to do? All of the usualy steps:

• Be carefult about the apps you download. Look for trustworthy apps with privacy policies that they comply with
• Install and maintain anti-virus apps on your mobile device(s)
• Password protect your mobile device(s)
• Be careful about which WiFi hotspots you use your mobile device at, just as you would with any other computing device
• Use a mobile VPN connection when appropriate
• Use strong passwords, and change them every 90 or 120 days
• Don't use the same password for all of your online accounts and devices
• Place masking tape over your mobile device's camera lense when not using it for long periods.

Maybe some time soon, mobile device manufacturers will get smart and build lens covers into their mobile devices.

Ashesi University, Ethics, Africa, And I've Been Mugged Blog

I was very pleased to learn that while Ashesi University began teaching to its students in 2010 the ethics curriculum "Giving Voice To Values" (GVV) developed by Mary Gentile, the university also uses the I've Been Mugged interview with Gentile. Ashesi University, located in Ghana, is a private, secular liberal arts institution that offers bachelor degree programs in Computer Science, Management Information Systems and Business Administration. All students perform community service before graduation.

In July 2012, the university and the MasterCard Foundation jointly hosted the first-ever robotics competition in Ghana to encourage high school students to study computer science, engineering, and other technical fields. The Ashesi University Foundation, located in Seattle, Washington (USA) helps donors around the world support the school.

The school was founded in 2002 by Patrick Awuah, a graduate of Swarthmore College. Watch this June 2007 speech by Awuah at the Ted (Technology, Entertainment, and Design) Global Conference held in Arusha, Tanzania. The New York Times reported in January 2011:

"Africa has reached an inflection point with the march of democracy across the continent,” said Mr. Awuah, speaking at the World Innovation Summit for Education in Doha in November... We can bring change in one generation. How we train our leaders will make all the difference. According to Mr. Awuah, the goal of Ashesi, whose name means “beginning” in Akan, the local language of Ghana, is to train a new ethically responsible educated elite to break the cycle of corruption on the continent."

To find all schools (including Ashesi University) that offer the GVV ethics curriculum, browse the list of GVV pilot sites (Adobe PDF) maintained by Babson College, and its curriculum information. Visit the GVV book website to learn more about and the book, available to the public.

If you know of a school that uses the I've Been Mugged blog as part of an ethics or Interent-related curriculum, let me know or share it below.

Researchers At MIT Document Privacy Abuses By Smart Phone Apps

This week, the Boston Globe reported the findings of a study by a group of researchers at the Massachusetts Institute Of Technology. The research discovered that several Android apps track consumers' activities without notice and without consent. Researchers Frances Zhang and Fuming Shih investigated 36 apps that run on smart phones with the Android operating system:

"... some popular apps for phones running Google Inc.’s Android operating system are continually collecting information without informing the phone’s owner. The popular game Angry Birds uses the phone’s GPS and Wi-Fi wireless networking features to track the owner’s location, even when he’s not playing the game... Another game, Bowman, collects information from the phone’s Internet browser, including what websites the owner has been visiting..."

The researchers hope to patent their app-testing process so it can be used to test a wider range of mobile device apps. The researchers did not test Apple mobile devices.

While improved software will help consumers monitor apps for compliance with privacy policies, a survey earlier this year documented sporadic and inconsistent access to privacy policies for mobile device apps across all major brands.

Data Breach At University Of South Carolina Affects 34,000 People

The University of South Carolina experienced a data breach on an Internet-connected computer in its College of Education. The university is notifying 34,000 people, whose sensitive personal information has been exposed. The breach was discovered on June 6.

The University's breach announcement did not list the specific types of sensitive personal information exposed/stolen:

"Files on the server contained confidential, personally identifiable information of approximately 34,000 individuals."

McClatchy news service reported that the sensitive personal information exposed/stolen included the names, addresses and Social Security numbers of staff, researchers, and student at the College of Education since 2005.

The university advised breach victims to check their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, and TransUnion), and to place a fraud alert on their credit reports. The university did not name the credit monitoring/resolution service it has retained to assist breach victims, nor if it will provide that service freely to breach victims.

Organizations usualyy provide a couple years of free credit monitoring services after data breaches like this. This is the sixth breach at the University of South Carolina. Prior breaches:

• March 2011: 31,000 records exposed/stolen on 8 campuses affecting faculty, staff, retirees, and students
• June 2008: 7,000 records exposed/stolen during an office theft at the Moore School of Business
• September 2007: 1,482 students' files, including Social Security numbers, test scores, and grades, were exposed on an Internet-connect computer
• August 2006: 6,000 current and former students' sensitive information was exposed/stolen
• April 2006: 1,400 students' sensitive information, including Social Security numbers, was attached to and distributed in an email message by a faculty member

Given this poor history, the university's chief security officer and IT staff need to step up faculty/staff training and data security procedures at the school.

Data Breach At University of Nebraska

There is a storm brewing at the University of Nebraska. After a member of the school's information technology department discovered the data breach on May 23, the university distributed a notice on May 25 that the Nebraska Student Information Service, NeSIS, which contains sensitive information about students, alumni, and applicants had been accessed by unauthorized users.

Individuals are concerned because the types of data exposed or stolen includes school records, addresses, bank account information, and Social Security numbers. The breached database contains records for more than 650,000 individuals. The breach affects students, alumni, and applicants of the university’s four campuses, the Nebraska College of Technical Agriculture, plus university employees and parents of students who applied for financial aid.

In a letter to breach victims, Joshua Mauk, the university's Information Security Officer stated:

"On May 23, 2012, University personnel detected a security breach in the system indicating that an unauthorized individual had gained high-level access to the restricted database. This was a sophisticated and skilled attack on our system. Information in the system includes Social Security numbers, any bank account information associated with the NeSIS account, and personal and academic data. Our records indicate that you have a bank account that is associated with your NeSIS account, so we are writing to notify you of this breach and to advise you to monitor your bank accounts over the next several weeks and report any suspicious activity to your financial institution."

The letter also advises individuals to monitor their financial accounts and to consider placing a fraud alert or security freeze on their credit reports at the major credit reporting firms: Equifax, Experian, and TransUnion. The final number of records exposed/stolen has not been determined yet.

A breach investigation is underway by Nebraska University with local and federal law enforcement. The university has set up the http://nebraska.edu/security website to distribute updates about the breach and breach investigation.

Data security has been an issue in higher education since at least 2005: George Mason University (32,000 records). Recent, notable data breaches:

• May 3, 2012: University of Pittsburgh: undisclosed
• April 30, 2012: Volunteer State Community College (Tennessee): 14,000 records
• April 18, 2012: Emory Healthcare, Emory University Hospital: 315,000 records
• April 14, 2012: Texas A&M University: 4,000 records
• April 10, 2012: Case Western Reserve University: 600 records
• March 31, 2012; San Francisco State University: undisclosed
• March 16, 2012: University of Tampa: 30,000 records
• March 14, 2012: Humboldt State University: 5,700 records
• March 13, 2012: Brigham Young University: 1,300 records
• February 16, 2012: Central Connecticut State University: 18,763 records
• February 15, 2012: University of North Carolina at Charlotte: 350,000 records
• January 27, 2012: Indiana University (President's Challenge): 650,000 records
• January 20, 2012: Arizona State University: 300,000 records

Breach history source: Privacy Rights Clearinghouse

How To Get Help And File Complaints About Private Student Loans

To complete college and/or graduate-level study, many consumers took out student loans. According to the Consumer Financial Protection Bureau (CFPB):

"Student loans have now surpassed credit cards as the largest source of unsecured consumer debt... unlike federal student loans, private student loans do not generally have the same borrower protections such as military deferments, discharges upon death, or income-based repayment plans."

More help is available. The CFPB announced that it provides assistance for consumers who are experiencing problems with taking out a private student loan, repaying their private student loan, or managing a student loan that has gone into default and may have been referred to a debt collector:

• Before applying for loans, students should read the financial aid shopping sheet. Some consumers have already submitted feedback to the CFPB about what they want in this draft disclosure sheet. The CFPB will use this feedback in crafting future disclosure guidelines for lenders.
• Students who already have loans can use the Student Debt Repayment Assistant interactive, online tool to discover new repayment options.
• Borrowers who are experiencing difficulties paying loans, managing loans, or loans that have gone into default can now submit complaints at the CFPB website about private student loans. the types of complaints include: payment difficulties, confusing advertising or marketing terms, billing disputes, deferment issues, debt collection problems, and credit reporting issues.

Borrowers can also submit complaints to the CFPB via a toll-free phone number (1-855-411-2372), via fax (1-855-237-2392), and via postal mail (CFPB, P.O. Box 4503, Iowa City, Iowa 52244).

Private student loans are issued by banks, credit unions, schools, and similar lending institutions. If you aren’t sure what kind of loans you have, the CFPB advises students to visit the National Student Loan Database System for Students and select “Financial Aid Review” for a list of all federal loans made to you. Click each individual loan to see who the company is that collects payments from you.

Complaints about federal student loans (e.g., Direct, Stafford, Perkins, etc.) should be submitted to the U.S. Department of Education. The CFPB will automatically forward complaints it receives about federal student loans to the Department of Education.

Data Breach At City College Of San Francisco Affects Thousands

The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.

The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:

"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."

The college has posted a page with frequently asked questions to assist its users. the page stated in part:

"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."

For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.

If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.

The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.

Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.

Missouri State University Data Breach

Earlier this month, Missouri State University announced a data breach that affected 6,030 students in its College of Education. During October and November 2010, students' names and Social Security numbers were posted on an unsecure server connected to the Internet.

The affected students studied at the College of Education during 2005 through 2009. Reportedly, the university learned about the breach on February 22, 2011 when a person contacted the university about the breach.

As a result, the univeristy has disciplined the employee who posted the information online, worked with Google to remove the sensitive data from the search engine's web servers, provided affected consumers with complientary identity-theft insurance, and reported the breach to the Missouri Attorney General's office as required by law.

 

Report Cites Causes of Numerous Breach History in The State of Hawaii

A post last week covered several historical data breaches at the University of Hawaii. It seems that some government officials in the State of Hawaii are concerned and finally taking action about breaches across the state.

At the request of Hawaii State Senator Mike Gabbard, the Liberty Coalition, a Washington-based policy institute, analyzed the history and causes of all data breaches in the state since 2005. The trigger for this was the latest breach at the University of Hawaii which affected 40,000 students and alumni. Earlier this week, the Liberty Coalition issued Part 1 of its report (PDF format). Key findings from the report were pretty damning:

• "Since 2005, at least 479,000 Hawaii records have been breached: Almost one for every three residents."
• "The University of Hawaii is responsible for 54% of all breaches in Hawaii (259,000 records); more than all other Hawaii organizations combined."
• "As the single biggest contributor to Hawaii data breaches, the University of Hawaii has a pattern of breaches and unfulfilled promises."
• "Neither business nor academic organizations have adequate market incentives to keep personal information secure."
• "Breach notifications are vague and fail to empower victims. Victims cannot know which breach caused identity fraud, cannot hold organizations accountable, or protect themselves."

The breaches happened in a variety of ways, including hacking, lost or stolen laptops, negligence, or a combination of ways. I found this finding key:

"Although each breach event may differ slightly, Hawaii has a policy climate which does not give its citizens sufficient means to protect themselves from breaches. If identity fraud occurs, the entire burden rests on the individual to recover. In contrast, a breaching organization usually bears no responsibility to help victims recover."

That is a playing field heavily tilted toward businesses and against consumers,, students, and residents. The historical list of breaches in Hawaii since 2005:

1. June, 2005: University of Hawaii (UH) - 150,000 records
2. September, 2005: Internal Revenue Service (IRS) - 2,300 records
3. October, 2005: Wilcox Memorial Hospital - 130,000 records
4. November, 2005: Safeway - 1,400 records
5. April, 2006: NewTech Imaging - 40,000 records
6. January, 2007: Wahiawa Women, Infants and Children program (WIC) - 11,500 records
7. August, 2007: United States Postal Service - 3,000 records
8. April, 2009: Hawaii Department of Transportation - 1,892 records
9. April, 2009: UH - 15,487 records
10. June, 2009: A Hawaii Hospital ~1 record
11. November, 2009: Chaminade University - 4,500 records
12. February, 2010: UH Breaches - 35 records
13. April, 2010: Blood Bank of Hawaii's Donor Center - 25,000 records
14. June, 2010: Destination Hotels & Resorts - 500 records
15. June, 2010: UH - 53,821 records
16. October, 2010: UH - 40,101 records

The report's conclusion about the University of Hawaii:

"If UH had fulfilled its multiple promises to the Hawaii legislature and UH alumni, then all of its subsequent breaches would have been prevented or substantially mitigated. The fact that breaches continue to occur is evidence that UH has not implemented its policies, nor fulfilled its promises to the legislature. The Hawaii legislature must hold UH accountable..."

Business and higher education executives need to be fired, fined, and/or jailed. Or perhaps an entity needs to lose its funding temporarily. Business as usual is not acceptable. The report's conclusions about the state's existing laws about data ownership:

"Unfortunately, Hawaii law asserts, without legal precedent, that organizations may “own” or “license” personal information. The notion that organizations can “own” personal information is a threat to privacy because if you can own my personal information, you can own me. But intellectual property rights in personal information have little basis in law. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable. Personal information is not patentable..."

A threat to privacy? If Hawaiian residents don't own their personal information, they have no control over it. That means, effectively, no consumer privacy.

Part 2 of the report is due during the coming months. I look forward to reading responses from the Governor and state senators about the report's findings. If the state's legislature fails to publicly debate and implement stronger breach laws with consumer protections, then I hope residents elect new state representatives during the next elections. Or maybe a dip in tourism will prompt the needed changes.

The Liberty Coalition is an independent public policy organization that focuses on issues about civil liberties, basic rights, and individual privacy. The coalition works with 80 partner organizations, operates the National ID Watch project, and the Privacy Commons.The report is good work.

The University of Hawaii Majors In Data Breaches

I love the Hawaiian islands. I have visited there twice. First in 1979 and then in 2004. The second trip was a cruise from Honolulu around the islands. The weather, food, and surf were enjoyable. Unfortunately, its university has suffered data breaches like other colleges and universities around the USA.

In July 2010, the University of Hawaii at Manoa announced a data breach with it Parking Office database affecting about 40,000 persons. The breach occured on May 30, was discovered on June 15, and breach victims were notified July 6. The data exposed included Social Security Numbers and personal information were exposed for thse individuals, plus information for 200 credit cardholders. A few weeks later, the number of affected persons was revised upwards to 53,000. Affected individuals included:

"UH Mānoa faculty and staff members employed in 1998... faculty and staff employed within the UH system in 1998 and any registered student at UH Mānoa in 1998... Anyone who had business with the UH Mānoa Parking Office between January 1, 1998, and June 30, 2009..."

Basically, a lot of people related to the university was affected. In its announcement, the university referred breach victims to a website page with information about how to access their credit reports. The university did not offer its breach victims any credit monitoring or credit resolution services. Not good. Organizations usually do this, but not the UH.

In its July 2010 announcement, the university said:

"To protect personal information from further unauthorized access, Social Security numbers are no longer used for parking transactions, and are being purged from all current and historic Parking Office databases. Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks."

The university is just getting around to implementing these security measures? That might be understandable if this was the university's first data breach. Sadly, it wasn't.

In June 2005 the University of Hawaii Library in Honolulu experienced a breach where the personal information of 150,000 students, faculty, staff and library patrons was exposed and stolen. At that time, the university used Social Security numbers to track who checked out library materials. A former employee gained access to the personal information and used the Social Security numbers to obtain fraudulent loans.

And in May 2009, the university experienced another breach at its Kapiolani Community College campus in Honolulu. In this breach, 15,487 students who applied for financial aid were affected after an information-stealing computer virus was found on one of its Internet servers. The infected computer was connected to a network with names, addresses, phone numbers dates of birth, and Social Security numbers.

So, with this breach history the parking office is just getting around to removing Social Security numbers from its databases? Five years later?

But there is more. On October 29, 2010 the university experienced yet another breach. This breach at the University of Hawai'i West O'ahu (UHWO) in Pearl City included 40,101 records affecting students and alumni at both the UH and the University of Mānoa. The data exposed included names, Social Security numbers, birth dates, addresses and academic information. Reportedly, the faculty member who accidentally placed the files on an unencrypted Internet server retired before the breach was discovered.

This breach history makes me wonder if the University of Hawaii is serious about data security; if the senior executives at the school get that the school has a security problem. The school's latest announcement doesn't mention any training of faculty and staff about good data security habits. As Dark Reading noted:

"The vast majority of the breached information was placed online... by a now-retired Institutional Research Office (IRO) faculty member... he had [also] transferred large amounts of student information to his home computer for easier access. He deleted the remainder of this information after this breach came to light. The University of Hawaii has not commented on how many other faculty members have transferred student personal information to their home computers."

Sounds like the university needs a Chief Security Officer to help it develop some effective data security policies and then train the appropriate faculty and staff. Otherwsie, more breaches will likely happen. If the university already has a CSO, then it needs a new one.

Breach at Library Affects At Least 126,000 Florida Students

Last week, the College Center for Library Automation (CCLA) announced that it had experienced a data breach which exposed the sensitive personal information of 126,000 students at six colleges in Florida. During a computer upgrade at the CCLA, the breach victims' sensitive personal information was exposed on the Internet for five days from May 29 to June 2, 2010.

The CCLA provides all 28 of Florida's public colleges with library and information services. The breach notification (PDF) did not list the specific data items exposed or stolen. The notification advised affected students to place Fraud Alerts on their credit reports at the three major credit reporting agencies: Experian, Equifax, and TransUnion.

The company also provided a website with further information about the breach: www.cclaflorida.org/security. The website mentioned that breach victims included:

"Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College."

This suggests that far more consumers than 126,000 students were affected by the breach. If I were a former employee at one of these schools, I'd want to know if my sensitive personal information was exposed/stolen, too. So, I wonder what the true number affected consumers is by this breach.

Since I started writing this blog in 2007, I have read dozens of breach notification letters. Frankly, this was one of the skimpiest and thinnest breach notifications I have read. Why?

First, the CCLA's breach notification didn't list the types of personal data items disclosed. It should have. And, the website didn't explain much more. The website did a good job of explaining the state law about what personal information triggers a breach notification:

"... individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."

The website described in a somewhat confusing and vague way the data items exposed/stolen:

"The personal information contained in the temporarily exposed records was incorporated into a longer string of alphanumeric information, and was not specifically identified by type of information in any way. The exposed data did not include any personal financial information such as credit card or bank account numbers, or any library usage records."

So, what exact data items were exposed? After reading this, I was left with the impression that full name, address, phone, birth date, Social Security number and driver's license data were exposed. The exact data items exposed/lost should have been clearly listed in both the breach notification and the website, since that indicates to consumers the seriousness of the breach, and what to do next.

Given the likely data items exposed/stolen, identity criminals have sufficient information to obtain credit fraudulently in the students' names: new loans, credit, credit cards and mortgages. Unfortunately, a new trend by identity criminals is the theft and use of children's Social Security numbers because their credit history is clean and easier to abuse.

Second, the breach notification didn't offer any free credit monitoring and resolution services to breach victims. This is standard practice by most companies after a breach: free credit monitoring services for a year or two. After all, the breach was CCLA's fault and not the breach victims' fault. Perhaps, each breach victim received a personal notification which included this offer.

If I were a victim of this breach, I'd assume the worst and would monitor my credit reports for fraudulent entries and not only place Fraud Alerts on my credit reports. Why? Some lenders may not comply with this. And consumers who have experienced fraud may need stronger protection, like Security Freezes for their credit reports. It is important to understand the differences between Fraud Alerts and Security Freezes.

Credit monitoring is helpful for consumers who are unfamiliar with both the financial/credit process and identity theft. These consumers often don't know what to do to protect themselves.

In my experience, students are often least informed about the dangers of identity theft versus identity fraud. Students often don't understand the financial/credit process and how valuable their clean credit is. CCLA could and should do a lot more to help its breach victims.

Some colleges and universities are providing cyber training classes to help students protect themselves online. And there is identity-theft information college students need to know. This data breach is an excellent opportunity for the CCLA and the colleges it supports to educate students about identity theft, identity fraud, and prevention tips. I can't think of a better function by a library and college.

What do you think?

College Offers Cyber Training For New & Current Students

As an information architecture professional, I have participated in website redesign projects for several colleges and universities. It's always a pleasure to make a college's or university's website easier to use and to navigate for the school's target audiences.

I was pleased to read about an upcoming event in October at Colin College in Texas titled, "Being a Cyber Smart Student- What You Do Now Can Affect You Later." It would be hard to find a truer title for this event. The event description:"

"Technology is a way of life for today's teens; however, what was cute in high school can have serious and long-term consequences in college and the real world. Dallas-Fort Worth Metroplex attorney, Lynn Rossi Scott, will discuss the pitfalls for college students, including copyright violations, identity theft, social networking, child pornography, cyberbullying, shaming, and sexting."

Hopefully, more colleges and universities will draw upon nearby privacy experts to offer similar training sessions to both current students and high school students. The identity theft risks are great, and both college students and high school students need the training. Learn more about tips for college graduates to avoid identity theft and fraud.

Boston Business Journal: BigBad Agency Closes

My former employer was in the news again this week. The Boston Business Journal reported:

"Digital marketing firm BigBad Inc. has shuttered... In recent years the firm has worked with the John F. Kennedy Presidential Library & Museum, Beth Israel Deaconess Medical Center, and Connecticut College, among others. BigBad’s board of directors voted to shut down the agency in March... At least one company that was a client when the agency closed received a letter notifying the company of BigBad’s closure..."

In March of this year, the Boston Business Journal reported the agency's problems. While the agency has taken down its website, its Facebook and Twitter pages were still available today.

I enjoyed working there at the company focused on the higher education and health care verticals. My projects included some really innovative website redesign work in 2009 for Wooster College, Miami University (Ohio), and other higher education website redesign projects that haven't yet launched. The iWooster application appeals to a wide variety of users, from prospective students to current students to alumni to parents of students.

What made my time at BigBad (about 18 months) really special was my coworkers... a really collaborative and supportive group of professionals. I wish them all the best and hope that we work together again soon.

Educational Credit Management Corporation Breach Affects 3.3 Million Borrowers

Well, it didn't take long. About 85 days into 2010, we now have the largest data breach of the year, by far.

Last week, the Education Credit Management Corporation (ECMC) announced in its web site that 3.3 million borrowers' sensitive personal data was stolen during a data breach. According to ECMC, the stolen data included:

"... names, addresses, dates of birth and Social Security numbers. No savings, checking or credit card information was included in the data."

This is not good. Not at all. First, a breach with a huge amount of sensitive data like this indicates a breakdown in security, employee training, or both. This huge amount of data should never be this vulnerable on any type of storage media: USB drive, external hard drive, portable device, or whatever.

Second, identity criminals can do a lot of damage with this stolen data types: from apply for fraudulent loans to sell victims' Social Security numbers to undocumented immigrants to use to gain employment.

ECMC insures more than $11 billion in student loans for the U.S. Department of Education. The data was stolen from the company's St. Paul, Minnesota headquarters during the weekend of March 20 - 21.

Yesterday, the Wall Street Journal reported:

"ECMC said the stolen information was on a portable media device... simple, old-fashioned theft... It was not a hacker incident... It plans to notify affected customers in writing this week... ECMC also owns Premiere Credit LLC, a federal student-loan collection agency. No Premiere accounts were affected by the theft... Federal student-loan guarantors such as ECMC, USA Funds and American Student Assistance have contracts with the federal government to insure student loans against default... ECMC is the designated guarantor for loans in Oregon, Virginia and Connecticut, but borrowers from all states could be affected."

What is particularly nasty about this theft is that many borrowers, students, represent a vulnerable consumer segment. This consumer segment is often the least experienced and prepared about identity theft and fraud. They don't have the awareness, knowledge and funds (yet) to monitor their credit reports for fraudulent loans and other activity, plus subscribe to credit monitoring and resolution services.

In my opinion, ECMC has done the minimum: arranged for only 12 months of free credit monitoring services for its breach victims. I expected a far longer period of free credit monitoring services. Four years minimum seems sufficient to me, since it allow the students to complete (and keep the focus upon) their education and enter the workforce. To ECMC's credit, the company-arranged services from Experian include both credit monitoring and credit resolution (PDF).

While many colleges and universities have policies about identity theft and data breaches for staff and faculty, only a handful of higher education institutions have produced identity theft prevention events for students. This massive breach could be an opportunity for insurers like ECMC to show how much they care -- to do more than the minimum. Provide a longer period of free credit monitoring/resolution services, plus support and fund college-based identity-theft education and prevention programs.

A Really Damaging Data Breach At the University of North Carolina

This blog does not cover every breach incident; only the ones with broad implications or where the organization should do more to help its breach victims. Campus Technology reported last week:

"A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident."

You can read online the breach notification letter (PDF format) from the University and its explanation of the breach event (PDF format). The following illustrates just how damaging this data breach was:

The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information."

In my opinion, the University should do more beyond referring its breach victims to the three major credit-reporting agencies to file Fraud Alerts. The University should:

• Pay for at least five years of credit monitoring services for the breach victims, due to the ongoing threat to their financial accounts
• Pay the Security Freeze fees at all three major credit-reporting agencies, so the breach victims can lock down their credit reports
• Provide its breach victims with a user-friendly web site, and not a couple PDF documents, with ongoing status information about the breach incident investigation, what the university is doing to fix the problem, and what the university is doing to prevent further data breaches

Binghamton University Students Circulate Petition For Removal of CISO

This InformationWeek news article caught my attention:

"Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room. The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9."

First, kudos to the student reporter. Sloppy and poor data security should be reported. Second, the school's CISO should lose his/her job. This type of data breach happens far too often in higher education institutions:

"A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft. And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities."

The news broadcast from the local FOX television affiliate:

The good news: the Binghamton students "get it." They understand the importance of good data security and the consequences of poor data security. They understand the importance of accountability... of holding the proper person responsible. That person is the CISO.

Too bad that the University's officials don't get it.

Identity Theft Prevention Events at College And University Campuses

Any review will discover that the nationwide statistics for data breaches include colleges and universities. Colleges and universities archive the sensitive data about a wide range of consumers: students, applicants, alumni, parents, faculty, and employees.

Unlike corporations, most colleges and universities are transparent with their breach notices and disclose the number of records stolen or lost. Some of the larger data breaches* among higher education:

• Boston College: march 2005: computer system hacked: 120,00 records
• Tufts University; April 2005: computer system hacked: 106,000 records
• University of Utah: August 2005: computer system hacked: 100,000 records
• University of Texas McCombs School of Business: April 2006: computer system hacked: 197,000 records
• Ohio University: April 2006: computer system hacked: 300,000 records
• Western Illinois University: June 2006: computer system hacked: 180,000 records
• University of California at Los Angeles: December 2006: computer system hacked: 800,000 records
• University of Miami (Florida): April 2008: stolen computer tapes: 2.1 million records
• University of Utah Hospitals and Clinics: June 2008: stolen billing records: 2.2 million records

I was pleased to read that several colleges and universities are conducting identity-theft awareness and prevention events for students, faculty, and staff:

• "Protecting Yourself Against Identity Theft Lunch and Learn" on October 28, 2008 at the University of Baltimore to provide, "steps one can take to minimize the risk of identity theft. This training will highlight precautionary measures in addition to key facts and protection essentials."
• Miami University (Ohio) will conduct several events during October 28 - 30, 2008. Topics include "Computer Break-ins: From Beginning to Prosecution," "Security Awareness: Payment Cards," "Music and Video Downloads: Avoiding Legal Trouble," and more.
• On November 7, 2008 the University of Illinois will conduct a "Personal Privacy: Protecting Your Identity" session on identity theft
• Texas Tech University and the University of the Pacific both provide scam warnings, prevention, and recovery resources for their communities to protect against ID-theft

If you are a parent, its a good idea to encourage your son or daughter to attend any identity-theft training sessions at their school. If you are a student or faculty member, it's in your own best interest to attend events at your school. If your college or university doesn't provide identity-theft prevention training, ask them why they don't and when they will.

*Source: Chronology of Data Breaches, Privacy Rights Clearinghouse