Technorati Tag: Security Breach

Date Reported:
2/16/08

Organization:
Texas A&M University

Contractor/Consultant/Branch:
None

Victims:
Current and former employees of the Texas AgriLife Extension and Texas AgriLife Research -- formerly Texas Cooperative Extension and Texas Agricultural Experiment Station, respectively -- and the College of Agriculture and Life Sciences

Number Affected:
3,000

Types of Data:
Names and Social Security numbers

Breach Description:
A file containing sensitive personal information belonging to current and former employees of three Texas A&M organizations was inadvertently uploaded to a server that was publicly accessible over the Internet.  The file was available on the server for up to three weeks before it was detected during a routine examination.

Reference URL:
The AgriLIFE RESEARCH news release
The Bryan/College Station Eagle online story

Report Credit:
Dave Hayes, Texas A&M University

Response:
From the online sources cited above:

Computer records containing names and Social Security numbers of 3,000 current and former employees of two Texas A&M System agricultural agencies and the College of Agriculture and Life Sciences were inadvertently made accessible over the Internet

Texas A&M administrators said the personal information could not be directly viewed on Web pages, but was obtainable through sophisticated software designed to search databases and hijack such information.
[Evan] Huh?  Like what?  I seriously doubt that anything more than a browser and good text editor would have been necessary.

The file, which was accessible from a Web site for 21 days, was removed within a half hour of its discovery on Tuesday by information security personnel doing routine system checks

“We are not currently aware of any unauthorized use of this information,” Hussey said “But we are taking all steps necessary to notify the affected individuals, and offering to help them protect their personal information.
[Evan] How is the university offering to help protect the affected persons?  Are they referring to the notification and helpful tips?

“We sincerely regret this inadvertent disclosure occurred, and we are taking steps to ensure this doesn’t happen again.”

The file apparently contained an 8-year-old record of employees of the Texas AgriLife Extension Service, formerly known as Texas Cooperative Extension; Texas AgriLife Research, formerly known as the Texas Agricultural Experiment Station, and the College of Agriculture and Life Sciences. An initial analysis of the records suggests the file did not include any employee hired after about May 1, 1999, Hussey said, but that review is not yet complete.

All employees were sent an e-mail Wednesday evening advising them of the possible exposure of these records, Hussey explained. Those whose names were in the files are being contacted individually by e-mails and letters and offered assistance.

"The prudent course then was to take action that essentially assumed the data was made available to somebody who shouldn't have had it."
[Evan] Absolutely.  This remark is right on.

(Dave Mayes, a spokesman for Texas A&M)  said it appears the personal information was accidentally uploaded to the Internet during a recent computer server update. Only certain items were to be updated, but for some reason the eight-year-old, dormant file that contained the information was linked to the Web server during the update, he said.

It remains unclear why or how the file was updated. The original purpose of the file -- which Mayes described as a "data dump" -- also was unclear, though he noted the file had been created intentionally.
[Evan] This is the result of poor data management.  Nobody knows where the file came from, why it was there, or who is responsible.  Confidential information needs more control than this.

Current or former employees who think they might be affected are encouraged to call Texas A&M AgriLife Human Resources at . A Web site providing information on how to prevent identity theft is also available at: fcs.tamu.edu/money/your_money/fraud.php.

Commentary:
Texas A&M information security personnel deserve some credit for conducting regular security audits on servers (and I assume networks, processes, workstations, etc.).  The risk of compromise is proportionate to the amount of time the information was exposed.

This breach could be the result of a simple employee mistake, or it could be indicative of greater information management problems at the school.  The fact that nine-year-old sensitive information exists and nobody knows why or how is an obvious problem.  What is the school planning to do to prevent similar breaches in the future?

Past Breaches:
September, 2007 - Former Student Charged in Texas A&M Breach that Affected 130,000