A Really Damaging Data Breach At the University of North Carolina

This blog does not cover every breach incident; only the ones with broad implications or where the organization should do more to help its breach victims. Campus Technology reported last week:

"A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident."

You can read online the breach notification letter (PDF format) from the University and its explanation of the breach event (PDF format). The following illustrates just how damaging this data breach was:

The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information."

In my opinion, the University should do more beyond referring its breach victims to the three major credit-reporting agencies to file Fraud Alerts. The University should:

• Pay for at least five years of credit monitoring services for the breach victims, due to the ongoing threat to their financial accounts
• Pay the Security Freeze fees at all three major credit-reporting agencies, so the breach victims can lock down their credit reports
• Provide its breach victims with a user-friendly web site, and not a couple PDF documents, with ongoing status information about the breach incident investigation, what the university is doing to fix the problem, and what the university is doing to prevent further data breaches

Binghamton University Students Circulate Petition For Removal of CISO

This InformationWeek news article caught my attention:

"Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room. The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9."

First, kudos to the student reporter. Sloppy and poor data security should be reported. Second, the school's CISO should lose his/her job. This type of data breach happens far too often in higher education institutions:

"A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft. And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities."

The news broadcast from the local FOX television affiliate:

The good news: the Binghamton students "get it." They understand the importance of good data security and the consequences of poor data security. They understand the importance of accountability... of holding the proper person responsible. That person is the CISO.

Too bad that the University's officials don't get it.

Identity Theft Prevention Events at College And University Campuses

Any review will discover that the nationwide statistics for data breaches include colleges and universities. Colleges and universities archive the sensitive data about a wide range of consumers: students, applicants, alumni, parents, faculty, and employees.

Unlike corporations, most colleges and universities are transparent with their breach notices and disclose the number of records stolen or lost. Some of the larger data breaches* among higher education:

• Boston College: march 2005: computer system hacked: 120,00 records
• Tufts University; April 2005: computer system hacked: 106,000 records
• University of Utah: August 2005: computer system hacked: 100,000 records
• University of Texas McCombs School of Business: April 2006: computer system hacked: 197,000 records
• Ohio University: April 2006: computer system hacked: 300,000 records
• Western Illinois University: June 2006: computer system hacked: 180,000 records
• University of California at Los Angeles: December 2006: computer system hacked: 800,000 records
• University of Miami (Florida): April 2008: stolen computer tapes: 2.1 million records
• University of Utah Hospitals and Clinics: June 2008: stolen billing records: 2.2 million records

I was pleased to read that several colleges and universities are conducting identity-theft awareness and prevention events for students, faculty, and staff:

• "Protecting Yourself Against Identity Theft Lunch and Learn" on October 28, 2008 at the University of Baltimore to provide, "steps one can take to minimize the risk of identity theft. This training will highlight precautionary measures in addition to key facts and protection essentials."
• Miami University (Ohio) will conduct several events during October 28 - 30, 2008. Topics include "Computer Break-ins: From Beginning to Prosecution," "Security Awareness: Payment Cards," "Music and Video Downloads: Avoiding Legal Trouble," and more.
• On November 7, 2008 the University of Illinois will conduct a "Personal Privacy: Protecting Your Identity" session on identity theft
• Texas Tech University and the University of the Pacific both provide scam warnings, prevention, and recovery resources for their communities to protect against ID-theft

If you are a parent, its a good idea to encourage your son or daughter to attend any identity-theft training sessions at their school. If you are a student or faculty member, it's in your own best interest to attend events at your school. If your college or university doesn't provide identity-theft prevention training, ask them why they don't and when they will.

*Source: Chronology of Data Breaches, Privacy Rights Clearinghouse