University of Iowa engineering student information exposed
Technorati Tag: Security Breach
Date Reported:
9/11/08
Organization:
University of Iowa
Contractor/Consultant/Branch:
College of Engineering
Location:
Iowa City, Iowa
Victims:
"engineering students"
Number Affected:
"about 500"
Types of Data:
"names and Social Security numbers"
Breach Description:
"Iowa City, Ia. - The names and Social Security numbers of about 500 University of Iowa engineering students may have been stolen by computer hackers, the university announced Thursday."
Reference URL:
The Press-Citizen
The Des Moines Register
University of Iowa News Release
Report Credit:
University of Iowa
Response:
From the online sources cited above:
Some 500 students in the University of Iowa College of Engineering are being notified by the college that their personal information may have been exposed in a recent computer breach.
The information was stored on a computer that was breached around Aug. 11 by hackers looking to use the machine as a server from which other users could access music and movies.
[Evan] This seems to have been a more common type of breach years ago. I don't see bad guys using computers for unauthorized file sharing as much anymore. Maybe this is because information security priorities for me have changed a bit over the years. Anyway, I am guessing that the person(s) who uses/used this computer was/were using the computer logged in with an administrative/privileged account. This is an incident that could be used to make a case against using local administrative/privileged accounts on computers that are used to create, collect, store or transfer sensitive information.
The computer system was taken offline after the breach was discovered in early August, according to Jane Drews, the U of I's information technology security officer.
[Evan] Is "information technology security officer" the official title for Jane Drews? The name implies that the position reports up through the IT department. Information security is not an IT or technology issue, it is a business issue.
At that point, she said an extensive analysis was done to determine the depth of the breach.
It was during this analysis that U of I officials discovered the file that contained names and Social Security numbers.
According to Alec Scranton, associate dean of academic programs in the college, there is no evidence the file was viewed or copied, and it appears that the purpose of the breach was to use College of Engineering resources to store copies of music and movies.
the file did not contain information such as birth dates, grades or any financial information
[Evan] So? Unauthorized access to names and Social Security numbers could be damaging enough considering that much of the additional information is usually pretty easy to obtain.
Drews said the breach most likely occurred randomly, with one hacker targeting a multitude of systems to find a weak point.
[Evan] How does it feel to know that your infrastructure is "a weak point"?
"It's kind of like going down the hall trying doors until you catch an open one," Drews said.
[Evan] So we put locks on doors to prevent access and alarm systems and video cameras to detect access. I wonder how this breach was detected and by whom.
Senior biomedical engineering student Cori Thompson said the U of I should do more to protect sensitive information.
"That's extremely scary," Thompson said.
Commentary:
Judging from the University of Iowa SSN Update slides here, it appears that the school is in the process of identifying and controlling Social Security number use throughout the school. This is a good thing.
Past Breaches:
University of Iowa:
January, 2008 - University of Iowa inadvertently posts personal data to the Internet
October, 2007 - University of Iowa philosophy students' data exposed
Date Reported:9/11/08
Organization:
University of Iowa
Contractor/Consultant/Branch:
College of Engineering
Location:
Iowa City, Iowa
Victims:
"engineering students"
Number Affected:
"about 500"
Types of Data:
"names and Social Security numbers"
Breach Description:
"Iowa City, Ia. - The names and Social Security numbers of about 500 University of Iowa engineering students may have been stolen by computer hackers, the university announced Thursday."
Reference URL:
The Press-Citizen
The Des Moines Register
University of Iowa News Release
Report Credit:
University of Iowa
Response:
From the online sources cited above:
Some 500 students in the University of Iowa College of Engineering are being notified by the college that their personal information may have been exposed in a recent computer breach.
The information was stored on a computer that was breached around Aug. 11 by hackers looking to use the machine as a server from which other users could access music and movies.
[Evan] This seems to have been a more common type of breach years ago. I don't see bad guys using computers for unauthorized file sharing as much anymore. Maybe this is because information security priorities for me have changed a bit over the years. Anyway, I am guessing that the person(s) who uses/used this computer was/were using the computer logged in with an administrative/privileged account. This is an incident that could be used to make a case against using local administrative/privileged accounts on computers that are used to create, collect, store or transfer sensitive information.
The computer system was taken offline after the breach was discovered in early August, according to Jane Drews, the U of I's information technology security officer.
[Evan] Is "information technology security officer" the official title for Jane Drews? The name implies that the position reports up through the IT department. Information security is not an IT or technology issue, it is a business issue.
At that point, she said an extensive analysis was done to determine the depth of the breach.
It was during this analysis that U of I officials discovered the file that contained names and Social Security numbers.
According to Alec Scranton, associate dean of academic programs in the college, there is no evidence the file was viewed or copied, and it appears that the purpose of the breach was to use College of Engineering resources to store copies of music and movies.
the file did not contain information such as birth dates, grades or any financial information
[Evan] So? Unauthorized access to names and Social Security numbers could be damaging enough considering that much of the additional information is usually pretty easy to obtain.
Drews said the breach most likely occurred randomly, with one hacker targeting a multitude of systems to find a weak point.
[Evan] How does it feel to know that your infrastructure is "a weak point"?
"It's kind of like going down the hall trying doors until you catch an open one," Drews said.
[Evan] So we put locks on doors to prevent access and alarm systems and video cameras to detect access. I wonder how this breach was detected and by whom.
Senior biomedical engineering student Cori Thompson said the U of I should do more to protect sensitive information.
"That's extremely scary," Thompson said.
Commentary:
Judging from the University of Iowa SSN Update slides here, it appears that the school is in the process of identifying and controlling Social Security number use throughout the school. This is a good thing.
Past Breaches:
University of Iowa:
January, 2008 - University of Iowa inadvertently posts personal data to the Internet
October, 2007 - University of Iowa philosophy students' data exposed
Posts Atom 1.0
Comments