University of Florida student information online for years
Technorati Tag: Security Breach
Date Reported:
6/11/08
Organization:
University of Florida
Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services
Victims:
Students
Number Affected:
"more than 11,300"
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."
Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International
Report Credit:
University of Florida
Response:
From the online sources cited above:
GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.
The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!
School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.
"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.
"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.
"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.
Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."
The information has been removed and is no longer available online or elsewhere in the UF systems.
The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.
The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.
The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".
University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.
Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.
"This would certainly appear to be the largest privacy breach we've had," Orlando said.
We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.
Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".
"It's negligence on their part, especially if anyone has been affected with identity theft,"
Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.
"They always make information very prominent when you have a hold or owe them money," Arias said.
Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.
Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online
Date Reported:6/11/08
Organization:
University of Florida
Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services
Victims:
Students
Number Affected:
"more than 11,300"
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."
Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International
Report Credit:
University of Florida
Response:
From the online sources cited above:
GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.
The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!
School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.
"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.
"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.
"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.
Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."
The information has been removed and is no longer available online or elsewhere in the UF systems.
The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.
The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.
The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".
University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.
Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.
"This would certainly appear to be the largest privacy breach we've had," Orlando said.
We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.
Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".
"It's negligence on their part, especially if anyone has been affected with identity theft,"
Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.
"They always make information very prominent when you have a hold or owe them money," Arias said.
Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.
Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online
Posted by Evan Francen at 6/12/2008 10:33 AM 
Categories: University of Florida, Poor Business Practice
Categories: University of Florida, Poor Business Practice
Posts Atom 1.0
Comments