Former Sonoma State computer science student information exposed
Technorati Tag: Security Breach
Date Reported:
9/26/08
Organization:
Sonoma State University
Contractor/Consultant/Branch:
Department of Computer Science
Location:
Rohnert Park, California
Victims:
Former students
Number Affected:
"about 600"
Types of Data:
"names and Social Security numbers"
Breach Description:
"News is making its way to about 600 former Sonoma State University students that their Social Security numbers have been exposed to the public through an internal department website."
Reference URL:
The Press Democrat
Associated Press via The San Francisco Chronicle
Report Credit:
Mary Callahan, The Press Democrat
Response:
From the online sources cited above:
Sonoma State University officials are investigating a security breach that exposed the Social Security numbers of about 600 former students.
University officials say they're not aware of any criminal or inappropriate activity linked to the breach, which was discovered on Sept. 2.
[Evan] The problem was discovered on September 2nd. There wasn't any information reported about how long the information was exposed/accessible. This information would help the people affected to determine a better sense of risk.
a former student accessed the roster of names and Social Security numbers through a networking Web site for students previously enrolled in computer science classes
[Evan] It seems like the student just stumbled upon the information.
The Social Security data was on a roster of previous students maintained by an undisclosed academic department on a university Web server.
The roster was stored by someone who did not realize it included Social Security numbers
[Evan] It's scary when people use information and don't know what information they're using. This statement opens the door to all kinds of potential issues in my mind.
There's no evidence that anyone else saw the list or accessed the data, which was expunged as soon as the student brought it to the university's attention.
[Evan] Proper logging could have provided this evidence.
Officials are alerting students and taking steps to make sure such security breaches don't happen again.
University policy requires encryption of any personal, confidential information, the Sept. 18 security announcement said.
[Evan] Good. Does this policy address data at rest and in transit? Encrypted data needs to be decrypted in order to provide any use, does the policy (or supporting standards/procedures) also cover this?
officials are notifying the former students by letter
SSU has provided a toll-free number for affected individuals who need additional information. That number is 1-.
Commentary:
"The roster was stored by someone who did not realize it included Social Security numbers." This is the statement that really gets under my skin and leads me to additional questions. Was this person authorized to have access to Social Security numbers? Was this person properly trained in the use (creation, collection, storage, transmission, and destruction) of sensitive information? Was this person made aware of the consequences of poor data handling? And on and on...
A silver lining might be that this breach affected former computer science students. Maybe some of these computer science students will go on to information security careers and use this incident as a learning experience.
Past Breaches:
Unknown
Date Reported:9/26/08
Organization:
Sonoma State University
Contractor/Consultant/Branch:
Department of Computer Science
Location:
Rohnert Park, California
Victims:
Former students
Number Affected:
"about 600"
Types of Data:
"names and Social Security numbers"
Breach Description:
"News is making its way to about 600 former Sonoma State University students that their Social Security numbers have been exposed to the public through an internal department website."
Reference URL:
The Press Democrat
Associated Press via The San Francisco Chronicle
Report Credit:
Mary Callahan, The Press Democrat
Response:
From the online sources cited above:
Sonoma State University officials are investigating a security breach that exposed the Social Security numbers of about 600 former students.
University officials say they're not aware of any criminal or inappropriate activity linked to the breach, which was discovered on Sept. 2.
[Evan] The problem was discovered on September 2nd. There wasn't any information reported about how long the information was exposed/accessible. This information would help the people affected to determine a better sense of risk.
a former student accessed the roster of names and Social Security numbers through a networking Web site for students previously enrolled in computer science classes
[Evan] It seems like the student just stumbled upon the information.
The Social Security data was on a roster of previous students maintained by an undisclosed academic department on a university Web server.
The roster was stored by someone who did not realize it included Social Security numbers
[Evan] It's scary when people use information and don't know what information they're using. This statement opens the door to all kinds of potential issues in my mind.
There's no evidence that anyone else saw the list or accessed the data, which was expunged as soon as the student brought it to the university's attention.
[Evan] Proper logging could have provided this evidence.
Officials are alerting students and taking steps to make sure such security breaches don't happen again.
University policy requires encryption of any personal, confidential information, the Sept. 18 security announcement said.
[Evan] Good. Does this policy address data at rest and in transit? Encrypted data needs to be decrypted in order to provide any use, does the policy (or supporting standards/procedures) also cover this?
officials are notifying the former students by letter
SSU has provided a toll-free number for affected individuals who need additional information. That number is 1-.
Commentary:
"The roster was stored by someone who did not realize it included Social Security numbers." This is the statement that really gets under my skin and leads me to additional questions. Was this person authorized to have access to Social Security numbers? Was this person properly trained in the use (creation, collection, storage, transmission, and destruction) of sensitive information? Was this person made aware of the consequences of poor data handling? And on and on...
A silver lining might be that this breach affected former computer science students. Maybe some of these computer science students will go on to information security careers and use this incident as a learning experience.
Past Breaches:
Unknown
Posts Atom 1.0
Don't count on any former student learning from this. We are living in a society where nobody pays attention, e.g. the financial crisis.
Reply to this