WCU server "hacked several times" since 2006
Technorati Tag: Security Breach
Date Reported:
3/23/08
Organization:
Western Carolina University
Contractor/Consultant/Branch:
Department of Business Computer Information Systems and Economics
Victims:
Graduates
Number Affected:
555
Types of Data:
Social Security numbers and other personally identifiable data
Breach Description:
"Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter."
Reference URL:
Asheville Citizen-Times
Report Credit:
Carol Motsinger, Asheville Citizen-Times
Response:
From the online source cited above:
Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter.
[Evan] What? Give me your Social Security number, and I'll give you a newsletter?
WCU officials discovered the breach while trying to track down and eliminate private information on unsecure computer servers
[Evan] WCU deserves some credit for going through their systems like this. This is something that should be done semi-annually, and never less than annually.
The compromised information was on a computer server managed by the Department of Business Computer Information Systems and Economics. And it was hacked several times, as long ago as 2006, said Bil Stahl, chief information officer at WCU.
[Evan] Ouch! Several times since 2006 is bad news. See my note above.
"We know the data was taken off the server, but we don’t have any evidence that their data was used," he said.
Social Security numbers were included in the stolen information because up until last fall, campuses in the University of North Carolina system could use those digits as student identification numbers. While the practice was stopped then, old data on servers remains vulnerable.
The private information was immediately removed from the compromised server and the Federal Bureau of Investigation is now handling the case.
Letters informing effected alumni of the security breach were also sent quickly, Stahl said.
Despite the breach, Stahl said WCU has "very robust security."
[Evan] Really? I guess it depends on your definition of "very robust security". How does a server get hacked several times over the course of a year or so and not get detected? I think intrusion detection, logging, log management, penetration testing, and audits should all be added to the "very robust security" program (among other things).
"We haven’t had any problems on our secure servers," he said. The compromised information was stored on an unsecure server that is normally used for sharing class notes and assignments.
[Evan] Are the "secure servers" and the "unsecure" servers using the same security domain and centralized authentication (i.e. Windows domain)? If so, then the "secure servers" are likely "unsecure" too.
The biggest challenge facing WCU is not keeping computer criminals out: It’s finding all the Social Security numbers that are stored in documents on unsecured servers.
"Most servers are secure," Stahl said. "We manage more than 150 servers, but they are secure."
[Evan] 150 servers is not too many to run them all as "secure servers".
WCU is currently mounting a twofold attack. It is combing computers for Social Security numbers used for student identification. If the school doesn’t need the numbers, they are deleted. If the numbers are needed, they are placed on a secure server, Stahl said.
The school is using software that finds nine-digit numbers in documents.
However, "there is no easy way to determine whether it’s a Social Security number or not," Stahl said. "You literally have to look at every nine-digit number."
Remarks from an affected alumnus, Wesley Todd
"The process is just tedious, having to take time out to verify that everything is still OK from my end and that my identity has not been stolen,"
"It’s just something that people worry about enough without the university creating more concern for us by not protecting our secured information." So far, Todd has "not found any credit issues,"
Remarks from an alumnus, Tom Fisher
"the most important thing any company, school or government entity can do after a security breach and/or data leak is notify the victims and potential victims."
"not at all surprised that the event actually occurred."
"Data breaches like this are like car accidents - you might not see one every day, but they are happening many times a day all across the country. All you can do is wear your seatbelt and hope it doesn’t happen to you."
[Evan] Sad, but true. The analogy seems to fit. Just like road fatalities we know that we can't completely eliminate them, but we never stop trying to make the roads safer. Understanding this, our job is to reduce the frequency and number of incidents as much as possible. Today there are still WAY TOO MANY breaches affecting WAY TOO MANY people. Many of these breaches could/should have been easily avoided.
Commentary:
The fact that a server was compromised several times without detection is hard to explain away. Some people may claim that the compromise was detected, but in my opinion it was not. Stumbling upon a breach is not the same as detection.
I understand the challenge that WCU faces in trying to find Social Security numbers (and other confidential information) in all of the data they possess. This is a challenge facing thousands of companies and organizations throughout the world. Too many of these companies ignore that fact that data management is an issue and just continue to "throw more disk" at the problem rather than organize, manage, and secure. The longer the problem exists without attention, the worse the problem gets.
Past Breaches:
Unknown
Date Reported:3/23/08
Organization:
Western Carolina University
Contractor/Consultant/Branch:
Department of Business Computer Information Systems and Economics
Victims:
Graduates
Number Affected:
555
Types of Data:
Social Security numbers and other personally identifiable data
Breach Description:
"Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter."
Reference URL:
Asheville Citizen-Times
Report Credit:
Carol Motsinger, Asheville Citizen-Times
Response:
From the online source cited above:
Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter.
[Evan] What? Give me your Social Security number, and I'll give you a newsletter?
WCU officials discovered the breach while trying to track down and eliminate private information on unsecure computer servers
[Evan] WCU deserves some credit for going through their systems like this. This is something that should be done semi-annually, and never less than annually.
The compromised information was on a computer server managed by the Department of Business Computer Information Systems and Economics. And it was hacked several times, as long ago as 2006, said Bil Stahl, chief information officer at WCU.
[Evan] Ouch! Several times since 2006 is bad news. See my note above.
"We know the data was taken off the server, but we don’t have any evidence that their data was used," he said.
Social Security numbers were included in the stolen information because up until last fall, campuses in the University of North Carolina system could use those digits as student identification numbers. While the practice was stopped then, old data on servers remains vulnerable.
The private information was immediately removed from the compromised server and the Federal Bureau of Investigation is now handling the case.
Letters informing effected alumni of the security breach were also sent quickly, Stahl said.
Despite the breach, Stahl said WCU has "very robust security."
[Evan] Really? I guess it depends on your definition of "very robust security". How does a server get hacked several times over the course of a year or so and not get detected? I think intrusion detection, logging, log management, penetration testing, and audits should all be added to the "very robust security" program (among other things).
"We haven’t had any problems on our secure servers," he said. The compromised information was stored on an unsecure server that is normally used for sharing class notes and assignments.
[Evan] Are the "secure servers" and the "unsecure" servers using the same security domain and centralized authentication (i.e. Windows domain)? If so, then the "secure servers" are likely "unsecure" too.
The biggest challenge facing WCU is not keeping computer criminals out: It’s finding all the Social Security numbers that are stored in documents on unsecured servers.
"Most servers are secure," Stahl said. "We manage more than 150 servers, but they are secure."
[Evan] 150 servers is not too many to run them all as "secure servers".
WCU is currently mounting a twofold attack. It is combing computers for Social Security numbers used for student identification. If the school doesn’t need the numbers, they are deleted. If the numbers are needed, they are placed on a secure server, Stahl said.
The school is using software that finds nine-digit numbers in documents.
However, "there is no easy way to determine whether it’s a Social Security number or not," Stahl said. "You literally have to look at every nine-digit number."
Remarks from an affected alumnus, Wesley Todd
"The process is just tedious, having to take time out to verify that everything is still OK from my end and that my identity has not been stolen,"
"It’s just something that people worry about enough without the university creating more concern for us by not protecting our secured information." So far, Todd has "not found any credit issues,"
Remarks from an alumnus, Tom Fisher
"the most important thing any company, school or government entity can do after a security breach and/or data leak is notify the victims and potential victims."
"not at all surprised that the event actually occurred."
"Data breaches like this are like car accidents - you might not see one every day, but they are happening many times a day all across the country. All you can do is wear your seatbelt and hope it doesn’t happen to you."
[Evan] Sad, but true. The analogy seems to fit. Just like road fatalities we know that we can't completely eliminate them, but we never stop trying to make the roads safer. Understanding this, our job is to reduce the frequency and number of incidents as much as possible. Today there are still WAY TOO MANY breaches affecting WAY TOO MANY people. Many of these breaches could/should have been easily avoided.
Commentary:
The fact that a server was compromised several times without detection is hard to explain away. Some people may claim that the compromise was detected, but in my opinion it was not. Stumbling upon a breach is not the same as detection.
I understand the challenge that WCU faces in trying to find Social Security numbers (and other confidential information) in all of the data they possess. This is a challenge facing thousands of companies and organizations throughout the world. Too many of these companies ignore that fact that data management is an issue and just continue to "throw more disk" at the problem rather than organize, manage, and secure. The longer the problem exists without attention, the worse the problem gets.
Past Breaches:
Unknown
Posts Atom 1.0
Comments