Three breaches in one announcement at Montana State University
Technorati Tag: Security Breach
Date Reported:
11/06/07
Organization:
Montana State University
Contractor/Consultant/Branch:
None
Victims:
Certain Montana State University students and employees
Number Affected:
271*
*Breach #1 - 216 students and employees who lived in on-campus housing from 1998 to 2007, Breach #2 - 42 mostly new hires during the summer of 2006, and Breach #3 - 13 people affiliated with the school's Department of Computer Science.
Types of Data:
Names and Social Security numbers
Breach Description:
Montana State University reports three more data security breaches involving sensitive personal information about certain university students and employees. One breach involved a lost data storage device and the other two involved files inadvertently placed on the school's web site. These three breaches come on the heels of an October, 2007 breach affecting 1,400 students.
Reference URL:
Associated Press Story via KX TV
MSU News Service Story via Billings Gazette
Report Credit:
MSU News Service through the Billings Gazette
Response:
From the and online sources cited above:
"Montana State University is informing 271 people that their Social Security numbers may have been exposed in one of three separate data security breaches."
[Comfyllama] This is the first time I have seen three data security breaches reported at the same time. Ugh!
"On Nov. 2, it was determined that a stolen data storage device contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to the spring of 2007."
[Comfyllama] Breach #1. A stolen data storage device (probably a flash drive) with confidential information stored on it without the benefit of encryption. At the very least I hope this is against school policy. The fact that this is one of four breaches reported in the last month does not instill any confidence.
"In a separate incident that also occurred on Nov. 2, an independent security analyst informed university data security staff that an Excel spreadsheet with the names and Social Security numbers of 42 people - mostly new hires during the summer of 2006 - was available on the MSU Web site. The spreadsheet was immediately removed."
[Comfyllama] Breach #2.
"While investigating the Excel spreadsheet incident, MSU data-security staff discovered another Excel spreadsheet with the Social Security numbers of 13 people affiliated with the Department of Computer Science on the university's Web site. It, too, was immediately removed."
[Comfyllama] And Breach #3 or is it 4? I lose count with these guys.
"We take these incidents very seriously and act as swiftly as we can to notify the affected parties," said Cathy Conover, an MSU spokeswoman. "We try to learn as much as we can from each incident to improve our security and are investing a great deal of time to prevent these events from happening again."
[Comfyllama] Be your own judge. I could say something here, but I think the facts speak for themselves.
"The information on the storage device was not encrypted. University police and the Gallatin County Sheriff's Office have been informed of the theft."
"MSU Residence Life will be removing all sensitive personal information from portable data-storage devices to prevent this event from happening again."
"Even though we don't believe the thief, or thieves, targeted the data on the device, this is a very serious matter, and we want to alert students and employees that their personal data may be vulnerable to abuse," Conover said.
"We've used our Web site to post a list of actions we recommend people take to protect themselves."
[Comfyllama] The URL is www.montana.edu/securityalert/
"With regard to the first Excel spreadsheet, MSU was notified of its presence on the Web by an outside data security watchdog group. The spreadsheet was saved in error by a Human Resources/Personnel and Payroll employee in August 2006 and then inadvertently posted on the Web in July 2007"
"MSU's Human Resources/Personnel and Payroll Department does have security protocols to prevent this kind of human error, but those protocols were implemented after August 2006."
[Comfyllama] Does anyone at the school conduct regular information security audits? If not, how do you know if you are doing what you set out to do? Every good information security program MUST include regular assessments and audits.
"The second Excel spreadsheet containing the Social Security numbers of 13 people affiliated with the Department of Computer Science was generated for travel vouchers. An employee mistakenly posted it to the MSU Web in 2002, university data-security staff determined."
"The College of Engineering plans to improve security awareness of employees who deal with sensitive data and implement protocols and procedures to minimize any potential exposure of sensitive information."
Commentary:
Sheesh! Three breaches in the same announcement has got to be some kind of dubious record. It seems like the University of Montana has no formal information security program. Their whole protection of confidential data appears to be reactionary without any real understanding of what it takes to adequately secure information. It is impossible to guarantee information security, but the school could at least follow well-known best practices.
Can you pick out the would-be violations of any well written information security policy?
What can you say about an organization that has experience four (4) breaches of security involving personally identifiable information within a month?
Past Breaches:
October, 2007 - Montana State University server accessed by unknown hacker
Date Reported:11/06/07
Organization:
Montana State University
Contractor/Consultant/Branch:
None
Victims:
Certain Montana State University students and employees
Number Affected:
271*
*Breach #1 - 216 students and employees who lived in on-campus housing from 1998 to 2007, Breach #2 - 42 mostly new hires during the summer of 2006, and Breach #3 - 13 people affiliated with the school's Department of Computer Science.
Types of Data:
Names and Social Security numbers
Breach Description:
Montana State University reports three more data security breaches involving sensitive personal information about certain university students and employees. One breach involved a lost data storage device and the other two involved files inadvertently placed on the school's web site. These three breaches come on the heels of an October, 2007 breach affecting 1,400 students.
Reference URL:
Associated Press Story via KX TV
MSU News Service Story via Billings Gazette
Report Credit:
MSU News Service through the Billings Gazette
Response:
From the and online sources cited above:
"Montana State University is informing 271 people that their Social Security numbers may have been exposed in one of three separate data security breaches."
[Comfyllama] This is the first time I have seen three data security breaches reported at the same time. Ugh!
"On Nov. 2, it was determined that a stolen data storage device contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to the spring of 2007."
[Comfyllama] Breach #1. A stolen data storage device (probably a flash drive) with confidential information stored on it without the benefit of encryption. At the very least I hope this is against school policy. The fact that this is one of four breaches reported in the last month does not instill any confidence.
"In a separate incident that also occurred on Nov. 2, an independent security analyst informed university data security staff that an Excel spreadsheet with the names and Social Security numbers of 42 people - mostly new hires during the summer of 2006 - was available on the MSU Web site. The spreadsheet was immediately removed."
[Comfyllama] Breach #2.
"While investigating the Excel spreadsheet incident, MSU data-security staff discovered another Excel spreadsheet with the Social Security numbers of 13 people affiliated with the Department of Computer Science on the university's Web site. It, too, was immediately removed."
[Comfyllama] And Breach #3 or is it 4? I lose count with these guys.
"We take these incidents very seriously and act as swiftly as we can to notify the affected parties," said Cathy Conover, an MSU spokeswoman. "We try to learn as much as we can from each incident to improve our security and are investing a great deal of time to prevent these events from happening again."
[Comfyllama] Be your own judge. I could say something here, but I think the facts speak for themselves.
"The information on the storage device was not encrypted. University police and the Gallatin County Sheriff's Office have been informed of the theft."
"MSU Residence Life will be removing all sensitive personal information from portable data-storage devices to prevent this event from happening again."
"Even though we don't believe the thief, or thieves, targeted the data on the device, this is a very serious matter, and we want to alert students and employees that their personal data may be vulnerable to abuse," Conover said.
"We've used our Web site to post a list of actions we recommend people take to protect themselves."
[Comfyllama] The URL is www.montana.edu/securityalert/
"With regard to the first Excel spreadsheet, MSU was notified of its presence on the Web by an outside data security watchdog group. The spreadsheet was saved in error by a Human Resources/Personnel and Payroll employee in August 2006 and then inadvertently posted on the Web in July 2007"
"MSU's Human Resources/Personnel and Payroll Department does have security protocols to prevent this kind of human error, but those protocols were implemented after August 2006."
[Comfyllama] Does anyone at the school conduct regular information security audits? If not, how do you know if you are doing what you set out to do? Every good information security program MUST include regular assessments and audits.
"The second Excel spreadsheet containing the Social Security numbers of 13 people affiliated with the Department of Computer Science was generated for travel vouchers. An employee mistakenly posted it to the MSU Web in 2002, university data-security staff determined."
"The College of Engineering plans to improve security awareness of employees who deal with sensitive data and implement protocols and procedures to minimize any potential exposure of sensitive information."
Commentary:
Sheesh! Three breaches in the same announcement has got to be some kind of dubious record. It seems like the University of Montana has no formal information security program. Their whole protection of confidential data appears to be reactionary without any real understanding of what it takes to adequately secure information. It is impossible to guarantee information security, but the school could at least follow well-known best practices.
Can you pick out the would-be violations of any well written information security policy?
What can you say about an organization that has experience four (4) breaches of security involving personally identifiable information within a month?
Past Breaches:
October, 2007 - Montana State University server accessed by unknown hacker
Posted by Evan Francen at 11/12/2007 5:18 PM 
Categories: Poor Business Practice, Stolen Device, Montana State University, Employee Mistake
Categories: Poor Business Practice, Stolen Device, Montana State University, Employee Mistake
Posts Atom 1.0
Comments