University of Iowa inadvertently posts personal data to the Internet
Technorati Tag: Security Breach
Date Reported:
1/11/08
Organization:
University of Iowa
Contractor/Consultant/Branch:
None
Victims:
May 2006 College of Engineering graduates
Number Affected:
216
Types of Data:
Names, Social Security numbers and grade point averages (GPAs)
Breach Description:
A list containing sensitive personal information belonging to University of Iowa, May 2006 College of Engineering graduates was inadvertently saved to a server accessible via the Internet. The file was exposed for several months before an external party alerted the university of the breach.
Reference URL:
The Des Moines Register Story
KCRG - TV News Story
Report Credit:
Erin Jordan, Register Iowa City Bureau
Response:
From the online sources cited above:
The University of Iowa is alerting 216 former students that their names, Social Security numbers and grade point averages were inadvertently posted on the Internet for several months.
The list of May 2006 College of Engineering graduates was put in the wrong place on a file server and ended up on the Internet, said U of I Information Technology Security Officer Jane Drews.
[Evan] Can anyone just publish files and other information to the Internet at the University of Iowa? Typically, web servers should be segregated from the internal network and access restricted to those people that are authorized to publish content. Content is published after testing and change control. Does any of this exist here?
Someone outside the university spotted the list earlier this month and alerted the U of I, Drews said. The list was then removed, she said.
[Evan] This would be embarrassing to me.
U of I technology staff believe there is little risk that the information was or will be misused.
[Evan] Should victims trust the university's risk assessment?
they are advising the students to take precautions to protect their financial information by placing "fraud alerts" on their files with the three major credit bureaus.
The college apologized for the recent incident, has corrected the problem, and said it would answer students' questions and provide assistance, if needed. To contact Drews, e-mail her at .
Commentary:
On one hand this breach can be justified as a simple human error, on the other hand I wonder if this breach is the result of something more. People need to be trained properly and be reminded constantly about information security risk and best practices, especially if they are authorized to work with confidential information.
I also question why Social Security numbers were necessary in the file in the first place. I hope the University of Iowa does not still use Social Security numbers as student identifiers. It would have been nice if the university gave a little more information about how the plan on preventing similar occurrences in the future.
Past Breaches:
October, 2007 - Stolen University of Iowa laptop exposes philosophy students
Date Reported:1/11/08
Organization:
University of Iowa
Contractor/Consultant/Branch:
None
Victims:
May 2006 College of Engineering graduates
Number Affected:
216
Types of Data:
Names, Social Security numbers and grade point averages (GPAs)
Breach Description:
A list containing sensitive personal information belonging to University of Iowa, May 2006 College of Engineering graduates was inadvertently saved to a server accessible via the Internet. The file was exposed for several months before an external party alerted the university of the breach.
Reference URL:
The Des Moines Register Story
KCRG - TV News Story
Report Credit:
Erin Jordan, Register Iowa City Bureau
Response:
From the online sources cited above:
The University of Iowa is alerting 216 former students that their names, Social Security numbers and grade point averages were inadvertently posted on the Internet for several months.
The list of May 2006 College of Engineering graduates was put in the wrong place on a file server and ended up on the Internet, said U of I Information Technology Security Officer Jane Drews.
[Evan] Can anyone just publish files and other information to the Internet at the University of Iowa? Typically, web servers should be segregated from the internal network and access restricted to those people that are authorized to publish content. Content is published after testing and change control. Does any of this exist here?
Someone outside the university spotted the list earlier this month and alerted the U of I, Drews said. The list was then removed, she said.
[Evan] This would be embarrassing to me.
U of I technology staff believe there is little risk that the information was or will be misused.
[Evan] Should victims trust the university's risk assessment?
they are advising the students to take precautions to protect their financial information by placing "fraud alerts" on their files with the three major credit bureaus.
The college apologized for the recent incident, has corrected the problem, and said it would answer students' questions and provide assistance, if needed. To contact Drews, e-mail her at .
Commentary:
On one hand this breach can be justified as a simple human error, on the other hand I wonder if this breach is the result of something more. People need to be trained properly and be reminded constantly about information security risk and best practices, especially if they are authorized to work with confidential information.
I also question why Social Security numbers were necessary in the file in the first place. I hope the University of Iowa does not still use Social Security numbers as student identifiers. It would have been nice if the university gave a little more information about how the plan on preventing similar occurrences in the future.
Past Breaches:
October, 2007 - Stolen University of Iowa laptop exposes philosophy students
Posts Atom 1.0
Comments