Binghamton University mistaken email exposes students
Technorati Tag: Security Breach
Date Reported:
3/17/08
Organization:
State University of New York
Contractor/Consultant/Branch:
Binghamton University
Victims:
School of Management students
Number Affected:
338
Types of Data:
Names, Social Security numbers and grade point averages
Breach Description:
"The Social Security numbers of more than 300 Binghamton University students were accidentally e-mailed to a list of hundreds of other students on Friday", 3/14/08
Reference URL:
BU Pipe Dream
Press & Sun-Bulletin
Report Credit:
John Hill, Press & Sun-Bulletin
Response:
From the online sources cited above:
One wrong move has left more than 300 School of Management students vulnerable to identity theft. An e-mail containing the names, Social Security numbers and grade point averages of 338 accounting students were mistakenly sent to an accounting Listserv instead of another SOM faculty member Friday afternoon.
Brian Perry, an SOM undergraduate adviser, had meant to send the e-mail to other faculty members for the purpose of selecting students to receive various academic awards. Instead, the e-mail showed up in the inbox of 288 accounting students.
[Evan] Ouch it stinks to be named as the culprit publicly, by name. Why were Social Security numbers required in an email meant to select students for academic rewards? Does the school use Social Security numbers as identifiers (instead of student IDs)?
“We are taking the matter very seriously,” said Upinder Dhillon, SOM dean. “The University is conducting a full investigation of this incident, including how this information was compromised and how information security in the School of Management can be improved.”
Friday evening James VanVoorst, vice president for administration, sent an e-mail to students whose information had been included on the list, notifying them of the situation.
[Evan] The school should be credited for a very prompt response.
“The University is exploring ways to limit the dissemination of the information,” VanVoorst stated in the e-mail. “Although we have no indication that any of this information will be misused, we recommend that you take appropriate action, including placing a fraud alert through one of the three credit agencies listed.”
“It’s important to note that this wasn’t someone invading our campus database,” he said. “We have firewalls to prevent this. We continually stay vigilant on that scope.”
[Evan] More often than not, breaches are not caused by "someone invading" systems from the outside. People need to think of security holisticly and evaluate risks from many sources. Firewalls are obviously important, but they are not more than what they are.
Upinder is encouraging the 338 students who had their information exposed to contact his office with any questions, either by calling or via e-mail to
Commentary:
This appears to be a simple employee mistake. It is scary how easily this could happen in many organizations. I know I have sent emails to unintended recipients before. I am concerned that Social Security numbers were contained in the email and wonder why? I am also curious about how access is restricted to such personally identifiable information (PII).
Potential causes that can lead to a higher risk of employee mistakes:
Past Breaches:
Unknown
Date Reported:3/17/08
Organization:
State University of New York
Contractor/Consultant/Branch:
Binghamton University
Victims:
School of Management students
Number Affected:
338
Types of Data:
Names, Social Security numbers and grade point averages
Breach Description:
"The Social Security numbers of more than 300 Binghamton University students were accidentally e-mailed to a list of hundreds of other students on Friday", 3/14/08
Reference URL:
BU Pipe Dream
Press & Sun-Bulletin
Report Credit:
John Hill, Press & Sun-Bulletin
Response:
From the online sources cited above:
One wrong move has left more than 300 School of Management students vulnerable to identity theft. An e-mail containing the names, Social Security numbers and grade point averages of 338 accounting students were mistakenly sent to an accounting Listserv instead of another SOM faculty member Friday afternoon.
Brian Perry, an SOM undergraduate adviser, had meant to send the e-mail to other faculty members for the purpose of selecting students to receive various academic awards. Instead, the e-mail showed up in the inbox of 288 accounting students.
[Evan] Ouch it stinks to be named as the culprit publicly, by name. Why were Social Security numbers required in an email meant to select students for academic rewards? Does the school use Social Security numbers as identifiers (instead of student IDs)?
“We are taking the matter very seriously,” said Upinder Dhillon, SOM dean. “The University is conducting a full investigation of this incident, including how this information was compromised and how information security in the School of Management can be improved.”
Friday evening James VanVoorst, vice president for administration, sent an e-mail to students whose information had been included on the list, notifying them of the situation.
[Evan] The school should be credited for a very prompt response.
“The University is exploring ways to limit the dissemination of the information,” VanVoorst stated in the e-mail. “Although we have no indication that any of this information will be misused, we recommend that you take appropriate action, including placing a fraud alert through one of the three credit agencies listed.”
“It’s important to note that this wasn’t someone invading our campus database,” he said. “We have firewalls to prevent this. We continually stay vigilant on that scope.”
[Evan] More often than not, breaches are not caused by "someone invading" systems from the outside. People need to think of security holisticly and evaluate risks from many sources. Firewalls are obviously important, but they are not more than what they are.
Upinder is encouraging the 338 students who had their information exposed to contact his office with any questions, either by calling or via e-mail to
Commentary:
This appears to be a simple employee mistake. It is scary how easily this could happen in many organizations. I know I have sent emails to unintended recipients before. I am concerned that Social Security numbers were contained in the email and wonder why? I am also curious about how access is restricted to such personally identifiable information (PII).
Potential causes that can lead to a higher risk of employee mistakes:
- Overwork. Employees who are overworked and rushed make more mistakes.
- Poor awareness. Improved awareness equates to fewer mistakes.
- Technological conveniences. In this can, I think of Outlook and the auto-complete functions when addressing emails. It saves me time by not having to type the entire email address, but I can easily choose one of the wrong email addresses from the drop-down.
- People are people. We all make mistakes. It just stings a little more when we are talking about the disclosure of confidential information.
Past Breaches:
Unknown
Posted by Evan Francen at 3/19/2008 2:02 PM 
Categories: Binghamton University, Employee Mistake, State University of New York
Categories: Binghamton University, Employee Mistake, State University of New York
Posts Atom 1.0
Comments