Online student aid database vulnerability at CA Department of Education
Technorati Tag: Security Breach
Date Reported:
9/8/08 (Corrected 9/10/08, the original report from The Globe and Mail was incorrect)
Organization:
Memorial University
Government of Newfoundland and Labrador
Contractor/Consultant/Branch:
Department of Education
Student Financial Services Division
Location:
Newfoundland and Labrador, Canada
Victims:
Student aid applicants and potentially spouses and/or parents
Number Affected:
"about 90"*
*"Records belonging to about 48,000 students were in the database at the time of the breach"
Types of Data:
"social insurance numbers, birth dates, addresses and income-related information, as well as signature forms for parents and students"
Breach Description:
"Nearly 50,000 computer files are being checked after a student at Memorial University in St. John's found a security breach that exposed personal financial information dating back more than 4½ years."
Reference URL (Updated 9/10/08):
Newfoundland and Labrador Press Release
CBC News
The Globe and Mail
Report Credit:
CBC News
Response:
From the online sources cited above:
Police are investigating how confidential information belonging to dozens of students was compromised in a security breach, Newfoundland and Labrador's education minister said Monday.
Student aid records involving 90 individuals were recently accessed without authorization, due to a hole in security involving an online database, Joan Burke said.
"They may have seen the financial information of a spouse, or parents, so it could include tax information, such as your income, your annual income or your social insurance number," Burke told reporters.
[Evan] The information in this database is highly confidential. A good place to start for secure web application development is the Open Web Application Security Project (OWASP).
officials first learned of the problem more than two weeks ago
They fixed the security breach immediately, she said, but initially kept the problem secret because they wanted to see how compromised the information was.
[Evan] They fixed the vulnerability. One specific vulnerability?
The Royal Newfoundland Constabulary is investigating the breach
The office of the province's information and privacy commissioner is also investigating
authorities have traced the source of the breach to a single IP address, but it's not known whether one individual tapped into the database
"We have it narrowed down to one IP address," Ms. Burke said in an interview. "It's my understanding that this alleged viewing took place in June of this year."
[Evan] This is a good sign that logging was employed on this site. Seems pretty basic, but I think you would be surprised at how many web site hosts do not configure adequate logging. I subscribe to the theory that you can't stop all attacks, but you should be able to detect them.
authorities also don't know whether the motive was curiosity, or something worse
Exposed data included social insurance numbers, birth dates, addresses and income-related information, as well as signature forms for parents and students.
The problem came to light when someone working in a password-protected area of the student aid application site noticed that changing a few characters in the URL allowed access to another person's data.
The student raised the alarm. But the university fears that someone had noticed the vulnerability earlier and exploited it.
the site was taken down and repaired, with an external company hired to oversee the security of the service
[Evan] I applaud the use of external resources in places where organizations do not have or cannot afford the inhouse expertise.
Cameron Campbell, a director of the Memorial University of Newfoundland students union, said student leaders have been assured the issue is under control.
"They've told us the system is completely secure at this point and as soon as they found out about the breach, they shut it all down," Campbell said.
[Evan] Maybe Cameron Campbell just mis-spoke, but you cannot make a system "completely secure". We are in the risk reduction business, not the risk elimination business.
"The problem has been rectified," Ms. Burke said. "The site has been reviewed by an external security firm and confirmation has been provided that personal information is now secured."
[Evan] I am not doubting that the personal information is more secure than it was, but personal experience has shown that retrofitting an insecure application is much less effective that an application that is designed with security in mind from the beginning.
Reegan Anstey, a Memorial University student, said she was unnerved by the disclosure, since she used the site herself this summer to apply for a student loan.
"That was, like, back in June or July, so yeah, I'm hoping I'm not one of those people," she told CBC News.
Records belonging to about 48,000 students were in the database at the time of the breach, Burke said.
An expert in online security said the public might be shocked to learn how common breaches in Web security continue to be.
[Evan] If the public isn't shocked, I think it should be!
"This breach is [a sign] that, in the construction of a website, some of the issues aren't really well thought out," said Elisabeth Rybak, CEO of the New Brunswick company TrustMe Security. "I think that people would be outraged if they knew the extent of it."
[Evan] Bingo.
Commentary:
It stinks that someone had taken advantage of a URL transversal vulnerability to access other people's sensitive information, but Memorial University does deserve some credit for logging. The accesses by the unauthorized person or processes are fairly easy to log and identify.
Past Breaches:
Government of Newfoundland and Labrador:
November, 2007 - Sensitive Canadian health information leak
Date Reported:9/8/08 (Corrected 9/10/08, the original report from The Globe and Mail was incorrect)
Organization:
Contractor/Consultant/Branch:
Department of Education
Student Financial Services Division
Location:
Newfoundland and Labrador, Canada
Victims:
Student aid applicants and potentially spouses and/or parents
Number Affected:
"about 90"*
*"Records belonging to about 48,000 students were in the database at the time of the breach"
Types of Data:
"social insurance numbers, birth dates, addresses and income-related information, as well as signature forms for parents and students"
Breach Description:
"Nearly 50,000 computer files are being checked after a student at Memorial University in St. John's found a security breach that exposed personal financial information dating back more than 4½ years."
Reference URL (Updated 9/10/08):
Newfoundland and Labrador Press Release
CBC News
The Globe and Mail
Report Credit:
CBC News
Response:
From the online sources cited above:
Police are investigating how confidential information belonging to dozens of students was compromised in a security breach, Newfoundland and Labrador's education minister said Monday.
Student aid records involving 90 individuals were recently accessed without authorization, due to a hole in security involving an online database, Joan Burke said.
"They may have seen the financial information of a spouse, or parents, so it could include tax information, such as your income, your annual income or your social insurance number," Burke told reporters.
[Evan] The information in this database is highly confidential. A good place to start for secure web application development is the Open Web Application Security Project (OWASP).
officials first learned of the problem more than two weeks ago
They fixed the security breach immediately, she said, but initially kept the problem secret because they wanted to see how compromised the information was.
[Evan] They fixed the vulnerability. One specific vulnerability?
The Royal Newfoundland Constabulary is investigating the breach
The office of the province's information and privacy commissioner is also investigating
authorities have traced the source of the breach to a single IP address, but it's not known whether one individual tapped into the database
"We have it narrowed down to one IP address," Ms. Burke said in an interview. "It's my understanding that this alleged viewing took place in June of this year."
[Evan] This is a good sign that logging was employed on this site. Seems pretty basic, but I think you would be surprised at how many web site hosts do not configure adequate logging. I subscribe to the theory that you can't stop all attacks, but you should be able to detect them.
authorities also don't know whether the motive was curiosity, or something worse
Exposed data included social insurance numbers, birth dates, addresses and income-related information, as well as signature forms for parents and students.
The problem came to light when someone working in a password-protected area of the student aid application site noticed that changing a few characters in the URL allowed access to another person's data.
The student raised the alarm. But the university fears that someone had noticed the vulnerability earlier and exploited it.
the site was taken down and repaired, with an external company hired to oversee the security of the service
[Evan] I applaud the use of external resources in places where organizations do not have or cannot afford the inhouse expertise.
Cameron Campbell, a director of the Memorial University of Newfoundland students union, said student leaders have been assured the issue is under control.
"They've told us the system is completely secure at this point and as soon as they found out about the breach, they shut it all down," Campbell said.
[Evan] Maybe Cameron Campbell just mis-spoke, but you cannot make a system "completely secure". We are in the risk reduction business, not the risk elimination business.
"The problem has been rectified," Ms. Burke said. "The site has been reviewed by an external security firm and confirmation has been provided that personal information is now secured."
[Evan] I am not doubting that the personal information is more secure than it was, but personal experience has shown that retrofitting an insecure application is much less effective that an application that is designed with security in mind from the beginning.
Reegan Anstey, a Memorial University student, said she was unnerved by the disclosure, since she used the site herself this summer to apply for a student loan.
"That was, like, back in June or July, so yeah, I'm hoping I'm not one of those people," she told CBC News.
Records belonging to about 48,000 students were in the database at the time of the breach, Burke said.
An expert in online security said the public might be shocked to learn how common breaches in Web security continue to be.
[Evan] If the public isn't shocked, I think it should be!
"This breach is [a sign] that, in the construction of a website, some of the issues aren't really well thought out," said Elisabeth Rybak, CEO of the New Brunswick company TrustMe Security. "I think that people would be outraged if they knew the extent of it."
[Evan] Bingo.
Commentary:
It stinks that someone had taken advantage of a URL transversal vulnerability to access other people's sensitive information, but Memorial University does deserve some credit for logging. The accesses by the unauthorized person or processes are fairly easy to log and identify.
Past Breaches:
Government of Newfoundland and Labrador:
November, 2007 - Sensitive Canadian health information leak
Posted by Evan Francen at 9/10/2008 9:54 AM 
Categories: Intrusion, Government of Newfoundland and Labrador
Categories: Intrusion, Government of Newfoundland and Labrador
Posts Atom 1.0
Hi, The Globe and Mail got their facts wrong, unfortunately for MUN. The breach was in the Provincial Student Aid system. A press release was published yesterday with the government claiming full responsibility and not mentioning MUN at all. It is the G&M piece that is getting reposted all over the web today though. The PR people at MUN will be busy.
It just shows that your reputation can still go in the crapper even if you do nothing wrong but just happen to be caught up in the blast zone.
Cheers
Provincial Gov't Press Release
http://www.releases.gov.nl.ca/releases/2008/edu/0908n01.htm
CBC got it right
http://www.cbc.ca/technology/story/2008/09/08/student-breach-data.html
Reply to this
Thank you for pointing this out Greg. I have updated the posting to reflect the more accurate information.
Evan
Reply to this
No problem Evan. I've been tracking university breaches since California started requiring notification a few years ago.
I just found the press release from Memorial's Information Access and Protection of Privacy Office this morning that states their position on the breach and confirms that their systems were not involved.
MUN IAPP Press Release:
http://www.mun.ca/iapp/home/
Cheers,
Greg
Reply to this