In 2012 we learned that university data breaches are a real and growing threat. In honor of this week’s bowl games we decided to unscientifically match two large university data breaches in a comparative discussion. With 2013 being the year of prevention, we hope that both teams walk away with good ideas on how to prevent such breaches in the future.
With the BCS Championship game now in the rear view mirror, it is time to safely tuck away the 2012 college football season. While I should say “congrats” to Bama, I can’t help but feel a bit sad for the Irish.
Was the win by Alabama just further confirmation that the south plays better football? Do southern teams have the best combination of strategy, speed and confidence? And what about consistency? Maybe that is true on the field. But off the field, two southern university breaches may call their strategy, speed, confidence and consistency into question.
Both the University of South Carolina and the University of Texas made the dBCS Orange Bowl this year. Let’s review the stats – especially how their strategy, speed and consistency impacted the outcome of their breaches.
The University of South Carolina had a pretty good year on the field with an 11-2 season and even finished 8th in the AP poll. But consistency is perhaps a generous description. Since 2006, the Gamecocks have had a consistently bad performance on the field.
Off the field, the University has had an equally inconsistent performance for protecting personal information. In fact the University has had six data breaches since 2006. Most recently, the College of Education server was hacked by “overseas” attackers passing data from approximately 34,000 students, staff and researchers dating back to 2005. Notification took 11 weeks – penalty for delay of game?
Now let’s look at The University of Texas Longhorns. Sports reporters called the team performance in 2012 “mediocre.” Ouch. The Longhorns were the team that could have been. The talent was there. Let’s just call it a leadership issue (time for Mack Brown to go?)
Leadership in the face of a data breach is what sets winners and losers apart. A physician with The University of Texas M.D. Anderson Cancer Center had an unencrypted laptop stolen from his home early last year. Break-ins happen. Things get stolen. But this time, that stolen laptop had records for 30,000 patients including medical ID and treatment information. At least 10,000 of those patient records had social security numbers. It took more than eight weeks to notify these patients. Penalty flag.
If that isn’t enough, ANOTHER unencrypted laptop was stolen just a few months later. This time, the affected population was 2220. Who was coaching this team? Perhaps the Athletic Department took over the role of CISO?
In the end, it comes down to overall performance – or lack of performance in this case – to determine who wins the 2012 Orange Bowl dBCS. I am giving it to South Carolina. Beth Given, the director of the Privacy Rights Clearinghouse even said, “That’s a dreadful track record.” An average of one data breach per year, tells us that they have a hole on their team. Delayed notification points to a lack of operational efficiency. Leadership is lacking. Procedural improvements are not a priority.
Sorry Woodcocks. I hope that 2013 points to a renewed commitment to privacy protection as well as your football program.