I love the Hawaiian islands. I have visited there twice. First in 1979 and then in 2004. The second trip was a cruise from Honolulu around the islands. The weather, food, and surf were enjoyable. Unfortunately, its university has suffered data breaches like other colleges and universities around the USA.
In July 2010, the University of Hawaii at Manoa announced a data breach with it Parking Office database affecting about 40,000 persons. The breach occured on May 30, was discovered on June 15, and breach victims were notified July 6. The data exposed included Social Security Numbers and personal information were exposed for thse individuals, plus information for 200 credit cardholders. A few weeks later, the number of affected persons was revised upwards to 53,000. Affected individuals included:
"UH Mānoa faculty and staff members employed in 1998... faculty and staff employed within the UH system in 1998 and any registered student at UH Mānoa in 1998... Anyone who had business with the UH Mānoa Parking Office between January 1, 1998, and June 30, 2009..."
Basically, a lot of people related to the university was affected. In its announcement, the university referred breach victims to a website page with information about how to access their credit reports. The university did not offer its breach victims any credit monitoring or credit resolution services. Not good. Organizations usually do this, but not the UH.
In its July 2010 announcement, the university said:
"To protect personal information from further unauthorized access, Social Security numbers are no longer used for parking transactions, and are being purged from all current and historic Parking Office databases. Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks."
The university is just getting around to implementing these security measures? That might be understandable if this was the university's first data breach. Sadly, it wasn't.
In June 2005 the University of Hawaii Library in Honolulu experienced a breach where the personal information of 150,000 students, faculty, staff and library patrons was exposed and stolen. At that time, the university used Social Security numbers to track who checked out library materials. A former employee gained access to the personal information and used the Social Security numbers to obtain fraudulent loans.
And in May 2009, the university experienced another breach at its Kapiolani Community College campus in Honolulu. In this breach, 15,487 students who applied for financial aid were affected after an information-stealing computer virus was found on one of its Internet servers. The infected computer was connected to a network with names, addresses, phone numbers dates of birth, and Social Security numbers.
So, with this breach history the parking office is just getting around to removing Social Security numbers from its databases? Five years later?
But there is more. On October 29, 2010 the university experienced yet another breach. This breach at the University of Hawai'i West O'ahu (UHWO) in Pearl City included 40,101 records affecting students and alumni at both the UH and the University of Mānoa. The data exposed included names, Social Security numbers, birth dates, addresses and academic information. Reportedly, the faculty member who accidentally placed the files on an unencrypted Internet server retired before the breach was discovered.
This breach history makes me wonder if the University of Hawaii is serious about data security; if the senior executives at the school get that the school has a security problem. The school's latest announcement doesn't mention any training of faculty and staff about good data security habits. As Dark Reading noted:
"The vast majority of the breached information was placed online... by a now-retired Institutional Research Office (IRO) faculty member... he had [also] transferred large amounts of student information to his home computer for easier access. He deleted the remainder of this information after this breach came to light. The University of Hawaii has not commented on how many other faculty members have transferred student personal information to their home computers."
Sounds like the university needs a Chief Security Officer to help it develop some effective data security policies and then train the appropriate faculty and staff. Otherwsie, more breaches will likely happen. If the university already has a CSO, then it needs a new one.