University of Texas students exposed on FTP site
Technorati Tag: Security Breach
Date Reported:
10/10/07
Organization:
University of Texas System
Contractor/Consultant/Branch:
University of Texas at Austin
Victims:
Current and former University of Texas students who enrolled in a petroleum and geosystems class during the summers of 2001 and 2002.
Number Affected:
22
Types of Data:
Name, Social Security number, gender, major, grades, email address, and department
Breach Description:
A series of six files were discovered on an open FTP site that contained sensitive and personal information about University of Texas Petroleum and Geosystems students that were enrolled in class number PGE383 during the summers of 2001 and 2002.
Reference URL:
The Liberty Coalition Report
Coverage at KXAN.com News
Report Credit:
Aaron Titus, the Liberty Coalition
Response:
From the online resources cited above:
"In late September, 2007 the Liberty Coalition discovered six files that contain the names, social security numbers, gender, majors, grades, email addresses, department, etc. of approximately 22 students or former students at the University of Texas at Austin Petroleum and Geosystems Department."
"The files were available on an open university FTP site accessible through the search engine, www.filewatcher.com and perhaps other search engines."
[Comfyllama] Filewatcher.com is an excellent resource for searching FTP sites.
"The affected students appear to be former enrollees of course PGE383 in the Summer of 2001 and 2002."
[Comfyllama] This dates seem to imply that the files were on the FTP site for a long time.
"The University and FBI were notified of the exposure. The files were taken offline within hours"
"the University of Texas at Austin takes these matters seriously and we are actively working to secure this information." - University of Texas Chief Information Security Officer Cam Beasley
"This pales in the nature that the information was exposed," said Brian Roberts of UT's Information Technology Services. "There was no overt effort to seek this information to breach a system as were the cases in the past."
[Comfyllama] I am not sure what Mr. Roberts means by these statements.
"a University official indicated that they planned to immediately notify affected individuals directly, where possible."
"The university said there is an ongoing effort to get rid of using Social Security numbers except where they are needed."
[Comfyllama] Amen to that! Sounds to me like a good start.
Student Reaction:
"It's a little frightening," said student Julian Joseph.
"It's just really, really scary with identity theft and all that," said student Blanca Valencia.
"That seems like a big deal to me," said Lauren Eason.
"The school should be more responsible," Valencia said.
"I feel like they should be a lot more careful about things like that," Eason said.
Commentary:
This was an obvious mistake by someone at the University of Texas that was not properly trained in the handling on senstive information. It is refreshing that the University of Texas is working towards removing Social Security numbers from places where they are no longer needed. It would behoove the university to do the same for any other confidential data. As I stated earlier, this is only a good start. I am sure that the University of Texas has other controls either in place or under consideration.
I am assuming that this breach occurred as a result of a university employee or student mistake. Mistakes will always happen, but they can be significantly reduced in number and impact through formal information security training and awareness. Organizations are starting to realize this fact and are increasing their efforts and spending. I recommend that information security training be mandatory within the first 30 days of granting access to any information resource employed by an organization.
We all benefit from information security training and awareness.
Past Breaches:
March, 2003 - UT Austin hack yields personal info on thousands
Date Reported:10/10/07
Organization:
University of Texas System
Contractor/Consultant/Branch:
University of Texas at Austin
Victims:
Current and former University of Texas students who enrolled in a petroleum and geosystems class during the summers of 2001 and 2002.
Number Affected:
22
Types of Data:
Name, Social Security number, gender, major, grades, email address, and department
Breach Description:
A series of six files were discovered on an open FTP site that contained sensitive and personal information about University of Texas Petroleum and Geosystems students that were enrolled in class number PGE383 during the summers of 2001 and 2002.
Reference URL:
The Liberty Coalition Report
Coverage at KXAN.com News
Report Credit:
Aaron Titus, the Liberty Coalition
Response:
From the online resources cited above:
"In late September, 2007 the Liberty Coalition discovered six files that contain the names, social security numbers, gender, majors, grades, email addresses, department, etc. of approximately 22 students or former students at the University of Texas at Austin Petroleum and Geosystems Department."
"The files were available on an open university FTP site accessible through the search engine, www.filewatcher.com and perhaps other search engines."
[Comfyllama] Filewatcher.com is an excellent resource for searching FTP sites.
"The affected students appear to be former enrollees of course PGE383 in the Summer of 2001 and 2002."
[Comfyllama] This dates seem to imply that the files were on the FTP site for a long time.
"The University and FBI were notified of the exposure. The files were taken offline within hours"
"the University of Texas at Austin takes these matters seriously and we are actively working to secure this information." - University of Texas Chief Information Security Officer Cam Beasley
"This pales in the nature that the information was exposed," said Brian Roberts of UT's Information Technology Services. "There was no overt effort to seek this information to breach a system as were the cases in the past."
[Comfyllama] I am not sure what Mr. Roberts means by these statements.
"a University official indicated that they planned to immediately notify affected individuals directly, where possible."
"The university said there is an ongoing effort to get rid of using Social Security numbers except where they are needed."
[Comfyllama] Amen to that! Sounds to me like a good start.
Student Reaction:
"It's a little frightening," said student Julian Joseph.
"It's just really, really scary with identity theft and all that," said student Blanca Valencia.
"That seems like a big deal to me," said Lauren Eason.
"The school should be more responsible," Valencia said.
"I feel like they should be a lot more careful about things like that," Eason said.
Commentary:
This was an obvious mistake by someone at the University of Texas that was not properly trained in the handling on senstive information. It is refreshing that the University of Texas is working towards removing Social Security numbers from places where they are no longer needed. It would behoove the university to do the same for any other confidential data. As I stated earlier, this is only a good start. I am sure that the University of Texas has other controls either in place or under consideration.
I am assuming that this breach occurred as a result of a university employee or student mistake. Mistakes will always happen, but they can be significantly reduced in number and impact through formal information security training and awareness. Organizations are starting to realize this fact and are increasing their efforts and spending. I recommend that information security training be mandatory within the first 30 days of granting access to any information resource employed by an organization.
We all benefit from information security training and awareness.
Past Breaches:
March, 2003 - UT Austin hack yields personal info on thousands
Posted by Evan Francen at 10/16/2007 6:44 AM 
Categories: Employee Mistake, University of Texas System
Categories: Employee Mistake, University of Texas System
Posts Atom 1.0
UT-Austin has been remediating such data for some time and was responsible for creating a very useful tool known as the Sensitive Number Finder (senf) back in 2005, which is now used by hundreds of Higher Education institutions throughout the country.
https://source.its.utexas.edu/groups/its-iso/projects/senf/
Reply to this
Very cool application. It is now included in my toolkit!
Thanks,
Evan
Reply to this