In 2012 we learned that university data breaches are a real and growing threat. In honor of this week’s bowl games we decided to unscientifically match two large university data breaches in a comparative discussion. With 2013 being the year of prevention, we hope that both teams walk away with good ideas on how to prevent such breaches in the future.
While we’re all sitting here basking in the glow of the Stanford win in the Rose Bowl and the Ducks win in the Fiesta Bowl, it seems like a great time to look at the Bowl Series of data breaches for universities (dBCS) in 2012. Last year was a banner year for data breaches generally, but especially for universities who are entrusted with a great deal of personal information not just of their students, but also of alums, donors and faculty. I’d like to take a look at the outcome of the dBCS Sugar Bowl, where Western Connecticut State and the University of North Florida faced off.
Western Connecticut State made the Sugar Bowl this year due to an exposure of personal records of 235,000 students, former students, parents, faculty, staff and individuals who sent their SAT scores to the college. This exposure occurred over a 3-1/2 year period ending September, 2012, during which the university was unaware that the data was accessible. The exposure was due to incorrectly set configuration controls on a database at the university. This breach is notable in that the data involved went back quite a while, to 1999. Obviously, the university didn’t feel the need to purge the data of applicants, even those that were never admitted to the university. It is also notable for the university’s response. While they notified the 235,000 individuals by mail, and offered a searchable database for those individuals to learn if they were actually affected, they didn’t offer any specific product or service to address the potential identity theft issues that might have resulted, based on their “feeling” that the risk really wasn’t very high. “The feeling is, among our IT people, that it would have been difficult to put all the parts together to get in, and secondly, we don’t see any information that anything was taken” noted spokesman Paul Steinmetz.
Competing against Western Connecticut for dBCS bragging rights is the University of North Florida. North Florida experienced a data breach between May 21 and September 24, 2012 where data from approximately 300,000 employees was breached in a massive exposure made by hackers that accessed a folder with this information on the university’s main server. This was a malicious attack, and some of the employees became victims of identity theft and fraud. The data accessed, unfortunately for the employees included banking direct deposit information, bank routing and account numbers. This allowed the hackers to target employee bank accounts for attack. The university notified all of the affected individuals, setup communications for questions via email and phone, provided a website with detailed FAQs and offered a free year of credit monitoring by Experian.
So now that I’ve covered the play-by-play for each breach, let’s look at the results of the game. While the University of North Florida experienced a more severe breach, resulting in actual identity theft and financial fraud, their handling of the breach, their communications with affected individuals, and their followup remediation steps appear to have been textbook. Western Connecticut, on the other hand, appears to have treated this breach with a bit of a “cavalier” attitude. Because they couldn’t find forensic evidence that the information was acquired by outsiders, their attitude seems to be more nonchalant then warranted, in my opinion.
Western Connecticut had a “hole” in their database security for over 3 years that provided a valid attack vector for bad guys. They had data retention policies that allowed them to keep sensitive personal information for decades for no valid business or academic reason. And as far as I can tell from outside appearances, they didn’t take this incident as a serious wake up call to address their overall security posture, as they should have. The university should have taken a deep breadth and celebrated that their negligence did not appear to negatively affect their constituents. And then they should have embarked on a major initiative to analyze their privacy and security from top to bottom, via a holistic analysis and review of all security, controls, and policies regarding privacy data. Given that this didn’t appear to be the case, the Western Connecticut State 2012 data breach WINS the dBCS Sugar Bowl. Congratulations!