An internal breach at the University of Toledo exposes 6,500
Technorati Tag: Security Breach
Date Reported:
4/13/08
Organization:
University of Toledo
Contractor/Consultant/Branch:
None
Victims:
Employees that worked on the Health Sciences Campus from 1993 to 1999
Number Affected:
6,500
Types of Data:
W-2 Forms, including names, addresses, and Social Security numbers
Breach Description:
"TOLEDO -- A university spokesperson said Sunday that personal information involving nearly 6,500 university employees was accidentally placed on the the university's server last month, which all employees would have been able to access."
Reference URL:
NBC24 News
13ABC News
The Toledo Times
Report Credit:
NBC24 News
Response:
From the online sources cited above:
Personal information of nearly 6,500 University of Toledo employees - the majority having worked on the Health Science Campus in 1993 and 1999 - last month was inadvertently placed on a server to which all employees had access.
[Evan] This information seems a little old to still be kept by the school. I don't know about Ohio's legal requirements, but I know that neither the IRS and Department of Labor require that payroll information be kept for so long. Maybe a data retention policy would be in order.
A data file, once only visible to those in UT's payroll department, was mistakenly placed on a shared network.
An employee in the payroll department authorized to work with the data accidentally moved it to the wrong folder on the morning of March 4.
It was discovered in the wrong place by an information technology employee on March 5, said Bob Hogle, interim information technology chief operating officer.
[Evan] Excellent work by the information technology employee. I wonder how he/she became aware.
It is common for large data files, such as these spreadsheets, to be stored on the internal server, but they are typically kept in folders where only employees of that department have access, Mr. Hogle said.
"There were about 6500 employees w-2 forms primarily from 1993 and 1999," says UT spokesperson Jon Strunk.
The personal information, including social security numbers, were made available to all university employees. University officials doubt the information was ever stolen.
"The likelihood that an employee who didn't know the file was there to begin with would chose to search the obscure part of the data, and further would have malicious intent seems unlikely," says Strunk
Strunk says the incident happened back on March 4th and was corrected the very next day, but those effected weren't notified until this past week.
"Letters were sent out on Thursday. The reason for the delay there being we wanted to ensure, as these were former employees, we had the most accurate addresses we could find to send them out a letter," explains Strunk.
The temporary folder where the information was accidentally placed has been removed, he said.
If you received a letter and have more questions, or if you didn't and want to know if you were effected, you can e-mail the Compliance Office at the University of Toledo at
Commentary:
Employees make mistakes. They are human. What are some of the things that we can do as information security professionals to reduce the frequency and severity of employee mistakes? This issue is a big challenge. The risk of identity theft or further damage is probably pretty low due to the fact that this was an internal exposure.
Of course, you can't expose information that you no longer possess. Why does the school still have this information? Does the school have a data retention policy? Like many breaches, there are more questions than answers.
Past Breaches:
August, 2007 - University of Toledo, Two Stolen Computers, Unknown Number of Victims
Date Reported:4/13/08
Organization:
University of Toledo
Contractor/Consultant/Branch:
None
Victims:
Employees that worked on the Health Sciences Campus from 1993 to 1999
Number Affected:
6,500
Types of Data:
W-2 Forms, including names, addresses, and Social Security numbers
Breach Description:
"TOLEDO -- A university spokesperson said Sunday that personal information involving nearly 6,500 university employees was accidentally placed on the the university's server last month, which all employees would have been able to access."
Reference URL:
NBC24 News
13ABC News
The Toledo Times
Report Credit:
NBC24 News
Response:
From the online sources cited above:
Personal information of nearly 6,500 University of Toledo employees - the majority having worked on the Health Science Campus in 1993 and 1999 - last month was inadvertently placed on a server to which all employees had access.
[Evan] This information seems a little old to still be kept by the school. I don't know about Ohio's legal requirements, but I know that neither the IRS and Department of Labor require that payroll information be kept for so long. Maybe a data retention policy would be in order.
A data file, once only visible to those in UT's payroll department, was mistakenly placed on a shared network.
An employee in the payroll department authorized to work with the data accidentally moved it to the wrong folder on the morning of March 4.
It was discovered in the wrong place by an information technology employee on March 5, said Bob Hogle, interim information technology chief operating officer.
[Evan] Excellent work by the information technology employee. I wonder how he/she became aware.
It is common for large data files, such as these spreadsheets, to be stored on the internal server, but they are typically kept in folders where only employees of that department have access, Mr. Hogle said.
"There were about 6500 employees w-2 forms primarily from 1993 and 1999," says UT spokesperson Jon Strunk.
The personal information, including social security numbers, were made available to all university employees. University officials doubt the information was ever stolen.
"The likelihood that an employee who didn't know the file was there to begin with would chose to search the obscure part of the data, and further would have malicious intent seems unlikely," says Strunk
Strunk says the incident happened back on March 4th and was corrected the very next day, but those effected weren't notified until this past week.
"Letters were sent out on Thursday. The reason for the delay there being we wanted to ensure, as these were former employees, we had the most accurate addresses we could find to send them out a letter," explains Strunk.
The temporary folder where the information was accidentally placed has been removed, he said.
If you received a letter and have more questions, or if you didn't and want to know if you were effected, you can e-mail the Compliance Office at the University of Toledo at
Commentary:
Employees make mistakes. They are human. What are some of the things that we can do as information security professionals to reduce the frequency and severity of employee mistakes? This issue is a big challenge. The risk of identity theft or further damage is probably pretty low due to the fact that this was an internal exposure.
Of course, you can't expose information that you no longer possess. Why does the school still have this information? Does the school have a data retention policy? Like many breaches, there are more questions than answers.
Past Breaches:
August, 2007 - University of Toledo, Two Stolen Computers, Unknown Number of Victims
Posts Atom 1.0
This seems like a plain old manual processing error. There are probably several ways that such a process could be corrected (e.g. different accounts with limited file and folder permissions, mandatory checklists, automated batch processing, etc.)
A simple Threat and Risk Assessment would probably have caught this type of thing. TRAs should be mandatory, not just for automated systems, but for manual processes, too.
Reply to this