Three intrusions go undetected at Antioch University
Technorati Tag: Security Breach
Date Reported:
3/29/08
Organization:
Antioch University
Contractor/Consultant/Branch:
None
Victims:
"current and former students as well as current and former employees going back to 1996"
Number Affected:
~70,000
Types of Data:
"The system contained people's names, addresses, telephone numbers, and social security numbers. For students and former students it also contained academic records and for employees and former employees it contained payroll records."
Breach Description:
"A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday."
Reference URL:
Antioch University FAQs
Antioch University Security Letter
ITBusinessEdge
Report Credit:
Antioch University
Response:
From the online sources cited above:
I wasn't an English major, so who am I to point this out?
A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday.
On February 13, 2008, a security incident occurred on one of Antioch University's computer systems. The University responded aggressively by immediately contacting forensic software investigators to examine its computer system.
[Evan] Maybe an aggressive response was warranted in this case, but this is not so in all cases. Sometimes an aggressive response causes harm. The school should be commended for bringing in a third-party expert. I wonder how the school initially became aware of the intrusion.
After analyzing Antioch's computer system, the investigators determined that an unauthorized intruder breached one of Antioch's computer systems on three different occasions: June 9, 2007, June 10, 2007, and October 11, 2007.
[Evan] Oh my! This is a tough pill to swallow. Obviously no intrusion detection or effective monitoring of this server. The protection of confidential information requires more active involvement. Three breaches occurring over the course of 18 months without a response (until now) is not acceptable.
The system contains files with Social Security numbers, names, academic records for students and former students, and payroll records for Antioch's employees and former employees. It also contains names and Social Security numbers for student applicants.
We are not aware of a single report of identity theft as a result of the intruder's actions.
No conclusive evidence has been found that the intruder actually acquired, viewed, copied, or otherwise misappropriated any of your personal information.
Nonetheless, we are continuing to analyze all available evidence to determine the extent of the intrusion.
Based on what we know regarding the facts surrounding the intrusion, we believe it is unlikely your information has been or will be misused. However, the University does not seek to minimize the concerns raised by this intrusion.
[Evan] We will minimize concerns then tell you that we don't seek to minimize the concerns.
Improvements to our system are being made but it is constant vigilance and a sense of caution that are necessary in keeping the system we develop safe.
[Evan] Yes, "constant vigilance" is required. So is this a "now we get it" response?
We will continue to reevaluate, identify, and remove potential vulnerabilities as we make improvements to our security system.
The University is working with appropriate federal and state law enforcement agencies to apprehend the responsible party and to determine if any personal information was stolen.
[Evan] Unless the intruder is a complete idiot, there is little hope of apprehension.
The University will aggressively pursue those responsible for the breach.
[Evan] Why? Time spent on establishing a sound information security program would be time better spent in my opinion.
Additionally, we have contacted the three major consumer credit reporting agencies to inform them of this incident.
The university said it is contacting by mail people whose information could have been exposed.
Antioch University takes the security and privacy of its employees, students, and applicants seriously and deeply regrets that this incident has occurred.
A Toll Free Hotline at 1- has been set up to assist you with answers to any questions or concerns regarding the data security intrusion. The Toll Free Hotline is available from 9 a.m. to 5 p.m. EDT, April 1 through May 30, 2008. If you call after business hours or find it necessary to leave a message, Antioch University will attempt to return your call within two business days.
If you suspect that you are a victim of identity theft immediately contact local law enforcement, your state's Office of Attorney General, and the Federal Trade Commission (1-877-ID-THEFT or 1-).
Again, Antioch deeply regrets any inconvenience this incident may have caused.
Commentary:
Two facts stand out for me immediately when I read about this breach.
1. According to the university, this server contained sensitive information "going back to 1996". Does a data retention policy not exist at the school? I do not know of any regulation or business reason why the school needs to keep data going back 12 years.
2. A server that creates, processes or stores sensitive information requires much more information security attention than the one involved in this breach. It would be embarrassing. This is an excellent case for IDS/IPS.
The school response seems sincere and open, but it doesn't leave me with a sense of comfort.
Past Breaches:
Unknown
Date Reported:3/29/08
Organization:
Antioch University
Contractor/Consultant/Branch:
None
Victims:
"current and former students as well as current and former employees going back to 1996"
Number Affected:
~70,000
Types of Data:
"The system contained people's names, addresses, telephone numbers, and social security numbers. For students and former students it also contained academic records and for employees and former employees it contained payroll records."
Breach Description:
"A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday."
Reference URL:
Antioch University FAQs
Antioch University Security Letter
ITBusinessEdge
Report Credit:
Antioch University
Response:
From the online sources cited above:
I wasn't an English major, so who am I to point this out?
A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday.
On February 13, 2008, a security incident occurred on one of Antioch University's computer systems. The University responded aggressively by immediately contacting forensic software investigators to examine its computer system.
[Evan] Maybe an aggressive response was warranted in this case, but this is not so in all cases. Sometimes an aggressive response causes harm. The school should be commended for bringing in a third-party expert. I wonder how the school initially became aware of the intrusion.
After analyzing Antioch's computer system, the investigators determined that an unauthorized intruder breached one of Antioch's computer systems on three different occasions: June 9, 2007, June 10, 2007, and October 11, 2007.
[Evan] Oh my! This is a tough pill to swallow. Obviously no intrusion detection or effective monitoring of this server. The protection of confidential information requires more active involvement. Three breaches occurring over the course of 18 months without a response (until now) is not acceptable.
The system contains files with Social Security numbers, names, academic records for students and former students, and payroll records for Antioch's employees and former employees. It also contains names and Social Security numbers for student applicants.
We are not aware of a single report of identity theft as a result of the intruder's actions.
No conclusive evidence has been found that the intruder actually acquired, viewed, copied, or otherwise misappropriated any of your personal information.
Nonetheless, we are continuing to analyze all available evidence to determine the extent of the intrusion.
Based on what we know regarding the facts surrounding the intrusion, we believe it is unlikely your information has been or will be misused. However, the University does not seek to minimize the concerns raised by this intrusion.
[Evan] We will minimize concerns then tell you that we don't seek to minimize the concerns.
Improvements to our system are being made but it is constant vigilance and a sense of caution that are necessary in keeping the system we develop safe.
[Evan] Yes, "constant vigilance" is required. So is this a "now we get it" response?
We will continue to reevaluate, identify, and remove potential vulnerabilities as we make improvements to our security system.
The University is working with appropriate federal and state law enforcement agencies to apprehend the responsible party and to determine if any personal information was stolen.
[Evan] Unless the intruder is a complete idiot, there is little hope of apprehension.
The University will aggressively pursue those responsible for the breach.
[Evan] Why? Time spent on establishing a sound information security program would be time better spent in my opinion.
Additionally, we have contacted the three major consumer credit reporting agencies to inform them of this incident.
The university said it is contacting by mail people whose information could have been exposed.
Antioch University takes the security and privacy of its employees, students, and applicants seriously and deeply regrets that this incident has occurred.
A Toll Free Hotline at 1- has been set up to assist you with answers to any questions or concerns regarding the data security intrusion. The Toll Free Hotline is available from 9 a.m. to 5 p.m. EDT, April 1 through May 30, 2008. If you call after business hours or find it necessary to leave a message, Antioch University will attempt to return your call within two business days.
If you suspect that you are a victim of identity theft immediately contact local law enforcement, your state's Office of Attorney General, and the Federal Trade Commission (1-877-ID-THEFT or 1-).
Again, Antioch deeply regrets any inconvenience this incident may have caused.
Commentary:
Two facts stand out for me immediately when I read about this breach.
1. According to the university, this server contained sensitive information "going back to 1996". Does a data retention policy not exist at the school? I do not know of any regulation or business reason why the school needs to keep data going back 12 years.
2. A server that creates, processes or stores sensitive information requires much more information security attention than the one involved in this breach. It would be embarrassing. This is an excellent case for IDS/IPS.
The school response seems sincere and open, but it doesn't leave me with a sense of comfort.
Past Breaches:
Unknown
Posts Atom 1.0
I am not surprised at the loose reaction and security at Antioch. As a fellow student, anytime I or others disagreed or asked internal questions pertaining to the professors lack of education in teaching or teaching credentials we were told that no professor ever had to take a course in teaching just a masters degree in the field of study. No wonder there is such a poor and undeducated group of people running the school. Basically this school is anti acceptance of higher educational standards in teaching and in running the school. I had to quit the school, I felt that the department heads on down were amatures who did not take criticism well, but boy could they dish it out.
former student
Reply to this