529 University of Wisconsin employees exposed
Technorati Tag: Security Breach
Date Reported:
1/16/08
Organization:
University of Wisconsin
Contractor/Consultant/Branch:
None
Victims:
Certain faculty and staff members who made purchases from the DoIT computer shop
Number Affected:
529
Types of Data:
University identification numbers*, email addresses and telephone numbers
*205 of the persons affected had university identification number based on their Social Security numbers
Breach Description:
Personal information belonging to University of Wisconsin at Madison faculty and staff members who made purchases from the DoIT "computer shop" was exposed on a publicly accessible web server.
Reference URL:
The Capital Times news story
Milwaukee Journal Sentinel news story
United Press International news story
Report Credit:
David Callender, The Capital Times
Response:
From the online sources cited above:
UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year.
The personal information -- including e-mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology
[Evan] One year before being noticed is too long. Is the DoIT site regularly tested for information security vulnerabilities? It should!
Rust said the Web-based database for DoIT employees was intended to keep track of sales transactions for statistical purposes.
[Evan] I wonder what personally identifiable information serves for statistical purposes.
He said the department only learned that purchasers' campus ID numbers -- some of which still use Social Security numbers -- could be accessed after a UW staffer found information about his own DoIT purchase during a routine online search.
Rust said the employees involved in the exposure were reprimanded, but declined to say what exactly their punishment entailed.
According to a letter to the affected faculty and staff dated Jan. 7, UW senior legal counsel Nancy Lynch wrote that the university became aware of the problem on Nov. 26.
Lynch wrote employees that their e-mail addresses, phone numbers and Social Security numbers were "inadvertently disclosed."
But Rust said the information did not constitute a security breach, since there was no indication that any unauthorized person -- other than the one staff member -- had actually accessed the information.
[Evan] Say huh? I guess it depends on your definition. According to Princeton University's WordNet, a breach is "a failure to perform some promised act or obligation" or "an opening (especially a gap in a dike or fortification)" According to Wisconsin law, a breach is "unauthorized acquisition of personal information", so I suppose if you have no evidence of the "unauthorized acquisition" you could get away this statement. Please don't think about running a web server without logging to show unauthorized access!
Rust said the UW delayed notifying staff members because it had to determine whether any information had been used, develop corrective measures, and ascertain the UW's legal liability. He said the UW complied with a state law requiring anyone affected by such an exposure to be notified within 45 days of the event.
[Evan] But if this was not a security breach, then why follow the Wisconsin "breach" notification law?
Rust acknowledged that although the faculty and staff names may not have been included in the information that was disclosed, in many cases their identity could be gleaned from their e-mail addresses, which usually consist of all or part of an individual's name, and from online directories that allow searches by phone number.
[Evan] Yes, this is a good point. Many UW-Madison email addresses follow a naming convention.
He also admitted that the exposure was due to the design of the database, which had been in use for about a year. He said that programmers knew the information could be accessed from outside, but apparently no one recognized that the data might include Social Security numbers and other personal information.
[Evan] Nuts. When do information security personnel get involved?
Rust said that, in contrast to those disclosures, anyone looking for personal information would have had to find the DoIT Web site in question and then would have had to know that some campus ID numbers still use Social Security numbers
[Evan] It's not hard to find! www.doit.wisc.edu/ techstore.doit.wisc.edu/. Security through obscurity DOES NOT work. Just because the information may not be easy to find does not ensure that it is secure. Didn't the person who found this stumble upon it while doing an internet search?
In an effort to control the release of personal information, the UW stopped using students' and employees' Social Security numbers as part of their campus ID numbers several years ago. But some longtime employees have not changed that ID number to a new, randomly generated number, he said.
[Evan] This is an excellent move by the University of Wisconsin, seriously.
"It's not to say that we're not taking responsibility for this exposure, but this is a reminder that if people don't want something like this to ever happen again, then they should really change that number," he said, adding that DoIT plans to phase out all Social Security-based ID numbers within about a year.
[Evan] This statement is troubling.
Commentary:
I have many issues with this breach and follow-up statements by the university. Too many for a blog posting. What issues do you find?
Past Breaches:
Unknown
Date Reported:1/16/08
Organization:
University of Wisconsin
Contractor/Consultant/Branch:
None
Victims:
Certain faculty and staff members who made purchases from the DoIT computer shop
Number Affected:
529
Types of Data:
University identification numbers*, email addresses and telephone numbers
*205 of the persons affected had university identification number based on their Social Security numbers
Breach Description:
Personal information belonging to University of Wisconsin at Madison faculty and staff members who made purchases from the DoIT "computer shop" was exposed on a publicly accessible web server.
Reference URL:
The Capital Times news story
Milwaukee Journal Sentinel news story
United Press International news story
Report Credit:
David Callender, The Capital Times
Response:
From the online sources cited above:
UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year.
The personal information -- including e-mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology
[Evan] One year before being noticed is too long. Is the DoIT site regularly tested for information security vulnerabilities? It should!
Rust said the Web-based database for DoIT employees was intended to keep track of sales transactions for statistical purposes.
[Evan] I wonder what personally identifiable information serves for statistical purposes.
He said the department only learned that purchasers' campus ID numbers -- some of which still use Social Security numbers -- could be accessed after a UW staffer found information about his own DoIT purchase during a routine online search.
Rust said the employees involved in the exposure were reprimanded, but declined to say what exactly their punishment entailed.
According to a letter to the affected faculty and staff dated Jan. 7, UW senior legal counsel Nancy Lynch wrote that the university became aware of the problem on Nov. 26.
Lynch wrote employees that their e-mail addresses, phone numbers and Social Security numbers were "inadvertently disclosed."
But Rust said the information did not constitute a security breach, since there was no indication that any unauthorized person -- other than the one staff member -- had actually accessed the information.
[Evan] Say huh? I guess it depends on your definition. According to Princeton University's WordNet, a breach is "a failure to perform some promised act or obligation" or "an opening (especially a gap in a dike or fortification)" According to Wisconsin law, a breach is "unauthorized acquisition of personal information", so I suppose if you have no evidence of the "unauthorized acquisition" you could get away this statement. Please don't think about running a web server without logging to show unauthorized access!
Rust said the UW delayed notifying staff members because it had to determine whether any information had been used, develop corrective measures, and ascertain the UW's legal liability. He said the UW complied with a state law requiring anyone affected by such an exposure to be notified within 45 days of the event.
[Evan] But if this was not a security breach, then why follow the Wisconsin "breach" notification law?
Rust acknowledged that although the faculty and staff names may not have been included in the information that was disclosed, in many cases their identity could be gleaned from their e-mail addresses, which usually consist of all or part of an individual's name, and from online directories that allow searches by phone number.
[Evan] Yes, this is a good point. Many UW-Madison email addresses follow a naming convention.
He also admitted that the exposure was due to the design of the database, which had been in use for about a year. He said that programmers knew the information could be accessed from outside, but apparently no one recognized that the data might include Social Security numbers and other personal information.
[Evan] Nuts. When do information security personnel get involved?
Rust said that, in contrast to those disclosures, anyone looking for personal information would have had to find the DoIT Web site in question and then would have had to know that some campus ID numbers still use Social Security numbers
[Evan] It's not hard to find! www.doit.wisc.edu/ techstore.doit.wisc.edu/. Security through obscurity DOES NOT work. Just because the information may not be easy to find does not ensure that it is secure. Didn't the person who found this stumble upon it while doing an internet search?
In an effort to control the release of personal information, the UW stopped using students' and employees' Social Security numbers as part of their campus ID numbers several years ago. But some longtime employees have not changed that ID number to a new, randomly generated number, he said.
[Evan] This is an excellent move by the University of Wisconsin, seriously.
"It's not to say that we're not taking responsibility for this exposure, but this is a reminder that if people don't want something like this to ever happen again, then they should really change that number," he said, adding that DoIT plans to phase out all Social Security-based ID numbers within about a year.
[Evan] This statement is troubling.
Commentary:
I have many issues with this breach and follow-up statements by the university. Too many for a blog posting. What issues do you find?
Past Breaches:
Unknown
Posts Atom 1.0
Comments