Two students access confidential Dominican University files
Technorati Tag: Security Breach
Date Reported:
5/8/08
Organization:
Dominican University
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
5,215
Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"
Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."
Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University
Report Credit:
Dominican University
Response:
From the online sources cited above:
Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.
Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.
These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?
One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.
We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.
A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.
The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.
The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.
The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.
Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".
At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.
"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me
If I have more questions, who should I call? You can call our toll-free number: .
Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"
"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"
"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?
Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.
If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?
Past Breaches:
Unknown
Date Reported:5/8/08
Organization:
Dominican University
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
5,215
Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"
Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."
Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University
Report Credit:
Dominican University
Response:
From the online sources cited above:
Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.
Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.
These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?
One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.
We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.
A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.
The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.
The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.
The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.
Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".
At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.
"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me
If I have more questions, who should I call? You can call our toll-free number: .
Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"
"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"
"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?
Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.
If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?
Past Breaches:
Unknown
Posts Atom 1.0
Comments