Dixie State College assumes responsibility in breach affecting 11,000
Technorati Tag: Security Breach
Date Reported:
10/24/07
Organization:
Dixie State College
Contractor/Consultant/Branch:
None
Victims:
Former students, alumni and current and former employees
Number Affected:
11,000
Types of Data:
Name, address, birth date, and Social Security number.
Breach Description:
On September 11, 2007 an anonymous caller contacted Dixie State College staff to inform them that they had accessed "numerous confidential files containing personal information, including Social Security numbers, birth dates and addresses and other information" online. It is not clear whether this was a "hacker" or someone that stumbled upon the information. The files were accessible through an internal DSC search engine for a period of up to 14 months.
Reference URL:
Dixie State College PR Announcement
The Spectrum Online Report
Deseret Morning News Report
Report Credit:
Dixie State College Public Relations Department
Response:
From the official school breach site and online resources cited above:
"Dixie State College of Utah’s Information Technology (IT) staff became aware of a security incident on September 11, 2007, in which an unauthorized individual was able to gain online access to files holding personal information, including Social Security numbers, birth date information and addresses, of former students, alumni and former employees. The files did not contain any credit card or financial data."
"On Sept. 11, an anonymous caller contacted staff about an incident during which they accessed numerous confidential files containing personal information, including Social Security numbers, birth dates and addresses and other information, said Steve Johnson, the college's public relations director."
[Comfyllama] Was the anonymous caller someone who circumvented security or someone who simply stumbled upon the information during the course of other legitimate tasks? Indications are that this was likely an innocent person that stumbled upon the information.
"Once DSC officials became aware of the incident, the compromised files were immediately deleted from the server. In addition, law enforcement officials, along with the Utah State Attorney General’s office and the Utah Higher Education Commissioner’s office, were notified."
[Comfyllama] Overall, I like how DSC responded to the breach. An incident response plan (or incident response policy and procedures) is critical to ensuring a good, organized response to a breach.
"The files were accessible through an internal DSC search engine for a period of up to 14 months, though it appears those files were not accessible to public search engines such as Google or Yahoo!."
[Comfyllama] 14 months!? DSC should be thankful that the anonymous caller contacted them. Chances are pretty good that someone else had accessed this information previously and either did not recognize the importance or just didn't bother to inform the school. I wonder if DSC conducts periodic security audits of their systems and if so, why was this not detected earlier.
“At this time, there is no evidence that the information has been misused,” said Gary Koeven, DSC dean of information services. “However we take this risk very seriously and are taking steps to notify those individuals listed in the files as well as our entire campus community. The situation will continue to be monitored.”
"DSC officials have confirmed that the files were accessed, though it is inconclusive as to whether any sensitive information was actually accessed and/or acquired. Koeven added that efforts are being made to notify those affected."
"Koeven also noted that a thorough information technology audit is currently under way and that all security and IT processes are being reviewed and will continue to be strengthened."
[Comfyllama] Good! I hope someone holds DSC accountable on this pledge.
“We regret that this incident has occurred, and we want to let everyone in the Dixie State College community know that we take this matter and all security issues very seriously,” DSC President Dr. Lee Caldwell said. “We know and understand the danger of identity theft and we are committed to ensuring that this does not happen again at this institution.”
[Comfyllama] I am always impressed with leaders that step up to the plate.
"Those potentially affected are urged to take precautionary measures by monitoring their bank and credit card statements. In addition, individuals are encouraged to request a free copy of their credit report and review it thoroughly and, if necessary, place a fraud alert on their credit."
"To further assist, update and provide as much information as possible, Dixie State College has created a Web site dedicated to this issue at www.dixie.edu/idprotect. DSC has also established a toll-free telephone hotline accessible at 1-. Individuals may also e-mail questions and concerns to ."
Commentary:
This sounds like a simple mistake on the part of Dixie State College (DSC). Perhaps an employee inadvertently placed the file in an unsecured location. Before passing judgment (which I am usually quick to do with breaches!), it would be nice to know what the purpose of the file was/is and whether the file was accessed by mistake or if there is a technical vulnerability at play.
I do like some of the reactions from Dixie State College. DSC officials have pledged to conduct a thorough audit of their IT systems and strengthen security and IT processes. Sometimes with mistakes all you can do is apologize, evaluate, and strengthen. I hope DSC takes a serious look at what data they collect, evaluates if they really need to collect as much as they do, and use encryption for confidential information. Obviously, there is MUCH more to security than this, but these are good steps in the right direction.
Past Breaches:
Unknown
Certifications like HP0-055 as well as 70-235 are basically meant to be used as precourses. They should ideally lead to SY0-101. If not able to do them, one can go for a 642-532 or NO0-002 instead. In either case though, 220-603 can still not be attempted. If wishing to do so, try to get 920-245 on your credit.
Date Reported:10/24/07
Organization:
Dixie State College
Contractor/Consultant/Branch:
None
Victims:
Former students, alumni and current and former employees
Number Affected:
11,000
Types of Data:
Name, address, birth date, and Social Security number.
Breach Description:
On September 11, 2007 an anonymous caller contacted Dixie State College staff to inform them that they had accessed "numerous confidential files containing personal information, including Social Security numbers, birth dates and addresses and other information" online. It is not clear whether this was a "hacker" or someone that stumbled upon the information. The files were accessible through an internal DSC search engine for a period of up to 14 months.
Reference URL:
Dixie State College PR Announcement
The Spectrum Online Report
Deseret Morning News Report
Report Credit:
Dixie State College Public Relations Department
Response:
From the official school breach site and online resources cited above:
"Dixie State College of Utah’s Information Technology (IT) staff became aware of a security incident on September 11, 2007, in which an unauthorized individual was able to gain online access to files holding personal information, including Social Security numbers, birth date information and addresses, of former students, alumni and former employees. The files did not contain any credit card or financial data."
"On Sept. 11, an anonymous caller contacted staff about an incident during which they accessed numerous confidential files containing personal information, including Social Security numbers, birth dates and addresses and other information, said Steve Johnson, the college's public relations director."
[Comfyllama] Was the anonymous caller someone who circumvented security or someone who simply stumbled upon the information during the course of other legitimate tasks? Indications are that this was likely an innocent person that stumbled upon the information.
"Once DSC officials became aware of the incident, the compromised files were immediately deleted from the server. In addition, law enforcement officials, along with the Utah State Attorney General’s office and the Utah Higher Education Commissioner’s office, were notified."
[Comfyllama] Overall, I like how DSC responded to the breach. An incident response plan (or incident response policy and procedures) is critical to ensuring a good, organized response to a breach.
"The files were accessible through an internal DSC search engine for a period of up to 14 months, though it appears those files were not accessible to public search engines such as Google or Yahoo!."
[Comfyllama] 14 months!? DSC should be thankful that the anonymous caller contacted them. Chances are pretty good that someone else had accessed this information previously and either did not recognize the importance or just didn't bother to inform the school. I wonder if DSC conducts periodic security audits of their systems and if so, why was this not detected earlier.
“At this time, there is no evidence that the information has been misused,” said Gary Koeven, DSC dean of information services. “However we take this risk very seriously and are taking steps to notify those individuals listed in the files as well as our entire campus community. The situation will continue to be monitored.”
"DSC officials have confirmed that the files were accessed, though it is inconclusive as to whether any sensitive information was actually accessed and/or acquired. Koeven added that efforts are being made to notify those affected."
"Koeven also noted that a thorough information technology audit is currently under way and that all security and IT processes are being reviewed and will continue to be strengthened."
[Comfyllama] Good! I hope someone holds DSC accountable on this pledge.
“We regret that this incident has occurred, and we want to let everyone in the Dixie State College community know that we take this matter and all security issues very seriously,” DSC President Dr. Lee Caldwell said. “We know and understand the danger of identity theft and we are committed to ensuring that this does not happen again at this institution.”
[Comfyllama] I am always impressed with leaders that step up to the plate.
"Those potentially affected are urged to take precautionary measures by monitoring their bank and credit card statements. In addition, individuals are encouraged to request a free copy of their credit report and review it thoroughly and, if necessary, place a fraud alert on their credit."
"To further assist, update and provide as much information as possible, Dixie State College has created a Web site dedicated to this issue at www.dixie.edu/idprotect. DSC has also established a toll-free telephone hotline accessible at 1-. Individuals may also e-mail questions and concerns to ."
Commentary:
This sounds like a simple mistake on the part of Dixie State College (DSC). Perhaps an employee inadvertently placed the file in an unsecured location. Before passing judgment (which I am usually quick to do with breaches!), it would be nice to know what the purpose of the file was/is and whether the file was accessed by mistake or if there is a technical vulnerability at play.
I do like some of the reactions from Dixie State College. DSC officials have pledged to conduct a thorough audit of their IT systems and strengthen security and IT processes. Sometimes with mistakes all you can do is apologize, evaluate, and strengthen. I hope DSC takes a serious look at what data they collect, evaluates if they really need to collect as much as they do, and use encryption for confidential information. Obviously, there is MUCH more to security than this, but these are good steps in the right direction.
Past Breaches:
Unknown
Certifications like HP0-055 as well as 70-235 are basically meant to be used as precourses. They should ideally lead to SY0-101. If not able to do them, one can go for a 642-532 or NO0-002 instead. In either case though, 220-603 can still not be attempted. If wishing to do so, try to get 920-245 on your credit.
Posts Atom 1.0
This could never happen in Nouveau">http://www.nouveauriche.com">Nouveau Riche University because this university has the best security system and also very capable administrators.
Reply to this