University of Florida student info online
Technorati Tag: Security Breach
Date Reported:
11/21/07
Organization:
University of Florida
Contractor/Consultant/Branch:
None
Victims:
Former UF students who enrolled in classes (ISM 4220 & ISM 4330) taught by information systems and operations management professor Richard Elnicki between 1998 and 2001.
Number Affected:
534
Types of Data:
"sensitive information" including Social Security numbers of 415 students.
Breach Description:
The Liberty Coalition discovered a file containing sensitive personal information about certain former University of Florida students was publicly available on the school's Computing & Networking Services Web site since 1998.
Reference URL:
The Independent Florida Alligator
Report Credit:
The Liberty Coalition
Response:
From the source cited above:
"Social Security numbers were posted on UF's Computing & Networking Services Web site"
"14 files on the Web site contained "sensitive information" of 534 former UF students, including 415 Social Security numbers."
"All the individuals were former students of Richard Elnicki, a professor of information systems and operations management, and had taken classes ISM 4220 or ISM 4330 with him between 1998 and 2001"
[Comfyllama] Information security and identity theft just weren't as popular back in the late '90s.
"the files were on a Computer & Networking Services server that required a password to upload files, though the public could download the files without a password."
[Comfyllama] More concern around bad guys storing warez or modifying files, maybe? Unsecured FTP and HTTP sites in the late '90s were popular places for hackers/crackers to store their files for free.
"The files were immediately removed by UF officials, who also worked with major search engines to clear their caches of the information, the release stated."
Steve Orlando, UF spokesman, said UF's investigation showed the numbers were posted in Elnicki's gradebook before UFID numbers.
[Comfyllama] I believe that the University of Florida stopped using Social Security numbers for identification some time ago, and now use UFIDs. Sound decision.
"the Computing & Networking Services Web site's logs indicated nobody had accessed the information in five years"
[Comfyllama] As long as the server shows no other signs of tampering, then it can be reasonably assumed that the information was not accessed through HTTP (maybe FTP).
"UF is trying to find how the numbers ended up online and also reach those who might have been affected"
Commentary:
This breach brings me back to the late '90s, so I will reminisce. In the late '90s I was working at the lead network engineer (there wasn't a dedicated security resource) for a software company that was really capitalizing on the Internet at all it had to offer. We hosted a series of load balanced and redundant FTP/HTTP servers for downloads in excess of 3,000,000 per month. From 1995-2000 none of the FTP/HTTP servers were firewalled and all of them allowed anonymous downloads. We only secured uploads, much like this UF server. Times have certainly changed, eh?
Enough of that.
Any company with a Web presence in the year 2007 should conduct external security audits no less than annually. E-commerce, popular and complex sites require them more often.
Past Breaches:
Unknown
Date Reported:11/21/07
Organization:
University of Florida
Contractor/Consultant/Branch:
None
Victims:
Former UF students who enrolled in classes (ISM 4220 & ISM 4330) taught by information systems and operations management professor Richard Elnicki between 1998 and 2001.
Number Affected:
534
Types of Data:
"sensitive information" including Social Security numbers of 415 students.
Breach Description:
The Liberty Coalition discovered a file containing sensitive personal information about certain former University of Florida students was publicly available on the school's Computing & Networking Services Web site since 1998.
Reference URL:
The Independent Florida Alligator
Report Credit:
The Liberty Coalition
Response:
From the source cited above:
"Social Security numbers were posted on UF's Computing & Networking Services Web site"
"14 files on the Web site contained "sensitive information" of 534 former UF students, including 415 Social Security numbers."
"All the individuals were former students of Richard Elnicki, a professor of information systems and operations management, and had taken classes ISM 4220 or ISM 4330 with him between 1998 and 2001"
[Comfyllama] Information security and identity theft just weren't as popular back in the late '90s.
"the files were on a Computer & Networking Services server that required a password to upload files, though the public could download the files without a password."
[Comfyllama] More concern around bad guys storing warez or modifying files, maybe? Unsecured FTP and HTTP sites in the late '90s were popular places for hackers/crackers to store their files for free.
"The files were immediately removed by UF officials, who also worked with major search engines to clear their caches of the information, the release stated."
Steve Orlando, UF spokesman, said UF's investigation showed the numbers were posted in Elnicki's gradebook before UFID numbers.
[Comfyllama] I believe that the University of Florida stopped using Social Security numbers for identification some time ago, and now use UFIDs. Sound decision.
"the Computing & Networking Services Web site's logs indicated nobody had accessed the information in five years"
[Comfyllama] As long as the server shows no other signs of tampering, then it can be reasonably assumed that the information was not accessed through HTTP (maybe FTP).
"UF is trying to find how the numbers ended up online and also reach those who might have been affected"
Commentary:
This breach brings me back to the late '90s, so I will reminisce. In the late '90s I was working at the lead network engineer (there wasn't a dedicated security resource) for a software company that was really capitalizing on the Internet at all it had to offer. We hosted a series of load balanced and redundant FTP/HTTP servers for downloads in excess of 3,000,000 per month. From 1995-2000 none of the FTP/HTTP servers were firewalled and all of them allowed anonymous downloads. We only secured uploads, much like this UF server. Times have certainly changed, eh?
Enough of that.
Any company with a Web presence in the year 2007 should conduct external security audits no less than annually. E-commerce, popular and complex sites require them more often.
Past Breaches:
Unknown
Posts Atom 1.0
Comments