Bates College employee mistake affects 508
Technorati Tag: Security Breach
Date Reported:
10/23/07
Organization:
Bates College
Contractor/Consultant/Branch:
None
Victims:
Bates College students that were the recipients of the federal Perkins Loan.
Number Affected:
508
Types of Data:
Legal name, address, date of birth, loan amount, and Social Security number.
Breach Description:
On October 15th, 2007 the Managing News Editor for The Bates Student, Conor Hurley notified Bates College representatives that he had stumbled upon two poorly secured files on the school's "Bates network". The files contained personal information about Perkins Loan applicants and/or recipients.
Reference URL:
The Bates Student Report
The Sun Journal Report
Report Credit:
Conor Hurley, The Bates Student
Response:
From the online articles cited above:
"Two publicly accessible documents that contained the record of nearly 500 recipients of the federal Perkins Loan along with each recipient's address, date of birth, Social Security number, legal name and loan amount were uncovered on the Bates network by The Bates Student on Oct. 13."
[Comfyllama] It was unclear at first what "publicly" actually meant with respect to this breach. At first I thought "publicly" meant available through the Internet, which turns out to not be the case. The files were accessible through the Bates network only. Don't get me wrong, this is still serious.
"All that was necessary to access the files was a Bates username and password."
[Comfyllama] Easily guessed or cracked.
"The information which is intended to be private could easily be used for identification theft. "
"Managing News Editor Conor Hurley of The Student informed the Student Financial Services Office (SFS) that the documents were publicly available on Oct. 15. The SFS Office claims to not have received Hurley's correspondence and the documents remained on the server."
"When Hurley contacted the SFS Office Monday, it attributed the mistake to the Information and Library Services Office but declined further comment."
[Comfyllama] I am guessing that "Monday" in this statement means October 22nd. This would mean that a week had passed before Bates College responded.
"Hurley was then contacted by the ILS at which point the documents were no longer available on the server. Hurley was brought in for an interview with Weimers and is currently a component of the investigation into the compromised documents."
[Comfyllama] ILS refers to Bates College Information and Library Services
"Acknowledging the mistake yesterday afternoon, ILS intended to contact the nearly 500 loan recipients yesterday evening to inform them of the security breach, said Weimers. At a little past 9 p.m. Monday evening, an e-mail was sent out informing all Perkins Loan recipients that their information was potentially breached, and that the ILS was investigating the matter."
"According to Weimers and Dean of Students Tedd Goundie, while this sort of breach is a constant risk at every college, they have no memory of anything like this ever happening before at Bates."
[Comfyllama] Yup. Disclosure of confidential information is a constant risk at every organization that feels the importance of receiving and storing it.
"Wiemers said an error by a staff member resulted in the posting. The Perkins Loan records, he said, were meant to be available only to the Bates financial office."
Commentary:
There wasn't much of a response from the college that details what they plan to do in order to make sure this kind of thing doesn't happen again. This breach encompassed the disclosure of two confidential files. I am wondering how many more there may be and why there is nothing mentioned about encryption as a policy or solution.
Past Breaches:
Unknown
Date Reported:10/23/07
Organization:
Bates College
Contractor/Consultant/Branch:
None
Victims:
Bates College students that were the recipients of the federal Perkins Loan.
Number Affected:
508
Types of Data:
Legal name, address, date of birth, loan amount, and Social Security number.
Breach Description:
On October 15th, 2007 the Managing News Editor for The Bates Student, Conor Hurley notified Bates College representatives that he had stumbled upon two poorly secured files on the school's "Bates network". The files contained personal information about Perkins Loan applicants and/or recipients.
Reference URL:
The Bates Student Report
The Sun Journal Report
Report Credit:
Conor Hurley, The Bates Student
Response:
From the online articles cited above:
"Two publicly accessible documents that contained the record of nearly 500 recipients of the federal Perkins Loan along with each recipient's address, date of birth, Social Security number, legal name and loan amount were uncovered on the Bates network by The Bates Student on Oct. 13."
[Comfyllama] It was unclear at first what "publicly" actually meant with respect to this breach. At first I thought "publicly" meant available through the Internet, which turns out to not be the case. The files were accessible through the Bates network only. Don't get me wrong, this is still serious.
"All that was necessary to access the files was a Bates username and password."
[Comfyllama] Easily guessed or cracked.
"The information which is intended to be private could easily be used for identification theft. "
"Managing News Editor Conor Hurley of The Student informed the Student Financial Services Office (SFS) that the documents were publicly available on Oct. 15. The SFS Office claims to not have received Hurley's correspondence and the documents remained on the server."
"When Hurley contacted the SFS Office Monday, it attributed the mistake to the Information and Library Services Office but declined further comment."
[Comfyllama] I am guessing that "Monday" in this statement means October 22nd. This would mean that a week had passed before Bates College responded.
"Hurley was then contacted by the ILS at which point the documents were no longer available on the server. Hurley was brought in for an interview with Weimers and is currently a component of the investigation into the compromised documents."
[Comfyllama] ILS refers to Bates College Information and Library Services
"Acknowledging the mistake yesterday afternoon, ILS intended to contact the nearly 500 loan recipients yesterday evening to inform them of the security breach, said Weimers. At a little past 9 p.m. Monday evening, an e-mail was sent out informing all Perkins Loan recipients that their information was potentially breached, and that the ILS was investigating the matter."
"According to Weimers and Dean of Students Tedd Goundie, while this sort of breach is a constant risk at every college, they have no memory of anything like this ever happening before at Bates."
[Comfyllama] Yup. Disclosure of confidential information is a constant risk at every organization that feels the importance of receiving and storing it.
"Wiemers said an error by a staff member resulted in the posting. The Perkins Loan records, he said, were meant to be available only to the Bates financial office."
Commentary:
There wasn't much of a response from the college that details what they plan to do in order to make sure this kind of thing doesn't happen again. This breach encompassed the disclosure of two confidential files. I am wondering how many more there may be and why there is nothing mentioned about encryption as a policy or solution.
Past Breaches:
Unknown
Posts Atom 1.0
Comments