Former NYU personal information exposed at Duke University
Technorati Tag: Security Breach
Date Reported:
5/20/08
Organization:
New York University
Contractor/Consultant/Branch:
Duke University, Fuqua School of Business
Victims:
Former NYU students
Number Affected:
273
Types of Data:
Names and Social Security numbers
Breach Description:
"DURHAM, N.C. - Duke University’s Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008."
Reference URL:
The News & Observer
NBC Channel 17 News
Report Credit:
Eric Ferreri, The News & Observer
Response:
From the online sources cited above:
DURHAM - Duke University's Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008.
[Evan] The information was public and went unnoticed by school, IT, and information security officials for nine months.
The NYU students were part of a 1997 class taught by a professor who now teaches at the Duke business school
[Evan] Why would a professor ever need access to Social Security numbers? NYU may use or might have used Social Security numbers as student numbers. Many schools are migrating away from this practice due to obvious (hopefully) privacy implications. It is troubling that a former professor was allowed to leave NYU with confidential information belonging to students.
The professor is not identified
The personal data included student names and Social Security numbers, and was contained in the faculty member’s NYU research records.
[Evan] Did the professor not notice that he/she had Social Security numbers as part of his/her research records?
There has been no indication of any unauthorized access or use of the personal information
Duke’s Internet security team has ascertained that the information could have been accessed only if searched by specific student names, along with a search code for Social Security numbers.
[Evan] I suppose we could take them at their word although it would be very difficult to state this claim with certainty. Search algorithms are very closely guarded secrets by Google, Yahoo, et. al.
The personal information was removed from Fuqua's public drives within 30 minutes of the school becoming aware of the problem on April 30.
[Evan] The ability to post information for public consumption must be closely monitored by organizations, and those with permissions must be properly trained.
Within hours, all major search engines had cleared their caches and indexes of the student information
Fuqua began notifying the former NYU students immediately after receiving addresses from NYU
Fuqua officials have undertaken a thorough review of the school’s electronic accounts to ensure no personal information is subject to unauthorized access.
No former or current Fuqua students were affected.
Commentary:
Most of my commentary is remarked above. What do the schools plan to do in order to reduce the chances of this happening again?
Past Breaches:
December, 2007 - Duke School of Law breach affects 3,200
Date Reported:5/20/08
Organization:
New York University
Contractor/Consultant/Branch:
Duke University, Fuqua School of Business
Victims:
Former NYU students
Number Affected:
273
Types of Data:
Names and Social Security numbers
Breach Description:
"DURHAM, N.C. - Duke University’s Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008."
Reference URL:
The News & Observer
NBC Channel 17 News
Report Credit:
Eric Ferreri, The News & Observer
Response:
From the online sources cited above:
DURHAM - Duke University's Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008.
[Evan] The information was public and went unnoticed by school, IT, and information security officials for nine months.
The NYU students were part of a 1997 class taught by a professor who now teaches at the Duke business school
[Evan] Why would a professor ever need access to Social Security numbers? NYU may use or might have used Social Security numbers as student numbers. Many schools are migrating away from this practice due to obvious (hopefully) privacy implications. It is troubling that a former professor was allowed to leave NYU with confidential information belonging to students.
The professor is not identified
The personal data included student names and Social Security numbers, and was contained in the faculty member’s NYU research records.
[Evan] Did the professor not notice that he/she had Social Security numbers as part of his/her research records?
There has been no indication of any unauthorized access or use of the personal information
Duke’s Internet security team has ascertained that the information could have been accessed only if searched by specific student names, along with a search code for Social Security numbers.
[Evan] I suppose we could take them at their word although it would be very difficult to state this claim with certainty. Search algorithms are very closely guarded secrets by Google, Yahoo, et. al.
The personal information was removed from Fuqua's public drives within 30 minutes of the school becoming aware of the problem on April 30.
[Evan] The ability to post information for public consumption must be closely monitored by organizations, and those with permissions must be properly trained.
Within hours, all major search engines had cleared their caches and indexes of the student information
Fuqua began notifying the former NYU students immediately after receiving addresses from NYU
Fuqua officials have undertaken a thorough review of the school’s electronic accounts to ensure no personal information is subject to unauthorized access.
No former or current Fuqua students were affected.
Commentary:
Most of my commentary is remarked above. What do the schools plan to do in order to reduce the chances of this happening again?
Past Breaches:
December, 2007 - Duke School of Law breach affects 3,200
Posted by Evan Francen at 5/21/2008 2:21 PM 
Categories: New York University, Employee Mistake, Duke University
Categories: New York University, Employee Mistake, Duke University
Posts Atom 1.0
This is very informative. Thank you for posting.
Reply to this