SSNs found on Texas A&M Corpus Christi web site
Technorati Tag: Security Breach
Date Reported:
11/07/08
Organization:
Texas A&M University - Corpus Christi
Contractor/Consultant/Branch:
None
Location:
Corpus Christi, Texas
Victims:
Current and former students
Number Affected:
1,430
Types of Data:
Names and Social Security numbers
Breach Description:
"CORPUS CHRISTI — For the fourth time in two years and the second time in three months, a security breach at Texas A&M University-Corpus Christi has exposed students' or former students' Social Security numbers, university officials said Friday."
Reference URL:
Corpus Christi Caller-Times
Report Credit:
Stuart Duncan, Corpus Christi Caller-Times
Response:
From the online source cited above:
CORPUS CHRISTI — For the fourth time in two years and the second time in three months, a security breach at Texas A&M University-Corpus Christi has exposed students' or former students' Social Security numbers, university officials said Friday.
[Evan] Not a very good track record. How many more before somebody decides enough if enough?
Through an Internet search on the university's Web site Monday, a student viewed a document that listed admissions applicants from 2005
[Evan] Is there a reason why the school needs to keep sensitive personal information belonging to applicants? I can understand keeping the information (securely) belonging to students who attend for a period of time, but not applicants. Students who attend are customers, applicants are not.
The page listed 1,430 names and Social Security numbers.
The student, who(A&M-Corpus Christi spokesman Marshall) Collins said saw her own Social Security number on the page, reported it to university officials.
Officials then temporarily shut down the site and removed the document
"We take this very seriously and it is always disappointing when something like this happens," A&M-Corpus Christi President Flavius Killebrew said Friday.
letters to all of the individuals listed will be mailed Monday to inform them about the breach
security officials were trying to determine Friday how long the page had been viewable
"This is an ongoing problem that all campuses face, with old data on computers with millions of files and it is difficult to make sure that they are all deleted," Nelsen said. "It is disappointing that it has happened again and we are going to be very aggressive to alleviate this problem."
[Evan] While this statement is true, it is no excuse and shouldn't be allowed to minimize the importance of sound information security.
"I think it is a little ridiculous -- as a student I expect my information to be protected and secure," Jennifer Barrientos, a 22-year-old senior biology major at the university
The university in fall 2007 eliminated use of Social Security numbers as student identification numbers. The university now uses a random numerical system for IDs.
[Evan] Many schools have done this same thing, which is good. The schools understood that they couldn't use Social Security numbers as student IDs and protect the confidentiality of Social Security numbers at the same time. A good follow-up decision would be to identify all places where Social Security numbers are used and destroy them or implement appropriate controls to protect them.
Nelsen said the computer server containing the file had been scanned and purged of sensitive documents, but the archives on the server were not, and that is where the document with the numbers was located.
[Evan] How can you purge the server, but not the archives that were stored on the server?
Nelsen said the employee responsible for scanning the archives will be reprimanded but not terminated.
[Evan] It's likely that the information security related problems at the school are much bigger.
Nelsen said the university will look into hiring outside technology experts to determine what can be done to prevent breaches.
[Evan] Give us a call at FRSecure. We could certainly help to make some significant positive changes at the school (we wouldn't be able to write about the school anymore either).
Commentary:
We haven't covered any of the other three breaches at Texas A&M University - Corpus Christi. There was a breach in September of this year blamed on a "hacker" gaining unauthorized access to a document containing Social Security numbers. We missed this one. The other two breaches occurred prior to the creation of The Breach Blog.
Four breaches gaining public exposure does not speak too well of information security practices at the school. Let's hope that this one is the last for a while.
Past Breaches:
Multiple, est. three others since mid-2007.
Date Reported:11/07/08
Organization:
Texas A&M University - Corpus Christi
Contractor/Consultant/Branch:
None
Location:
Corpus Christi, Texas
Victims:
Current and former students
Number Affected:
1,430
Types of Data:
Names and Social Security numbers
Breach Description:
"CORPUS CHRISTI — For the fourth time in two years and the second time in three months, a security breach at Texas A&M University-Corpus Christi has exposed students' or former students' Social Security numbers, university officials said Friday."
Reference URL:
Corpus Christi Caller-Times
Report Credit:
Stuart Duncan, Corpus Christi Caller-Times
Response:
From the online source cited above:
CORPUS CHRISTI — For the fourth time in two years and the second time in three months, a security breach at Texas A&M University-Corpus Christi has exposed students' or former students' Social Security numbers, university officials said Friday.
[Evan] Not a very good track record. How many more before somebody decides enough if enough?
Through an Internet search on the university's Web site Monday, a student viewed a document that listed admissions applicants from 2005
[Evan] Is there a reason why the school needs to keep sensitive personal information belonging to applicants? I can understand keeping the information (securely) belonging to students who attend for a period of time, but not applicants. Students who attend are customers, applicants are not.
The page listed 1,430 names and Social Security numbers.
The student, who(A&M-Corpus Christi spokesman Marshall) Collins said saw her own Social Security number on the page, reported it to university officials.
Officials then temporarily shut down the site and removed the document
"We take this very seriously and it is always disappointing when something like this happens," A&M-Corpus Christi President Flavius Killebrew said Friday.
letters to all of the individuals listed will be mailed Monday to inform them about the breach
security officials were trying to determine Friday how long the page had been viewable
"This is an ongoing problem that all campuses face, with old data on computers with millions of files and it is difficult to make sure that they are all deleted," Nelsen said. "It is disappointing that it has happened again and we are going to be very aggressive to alleviate this problem."
[Evan] While this statement is true, it is no excuse and shouldn't be allowed to minimize the importance of sound information security.
"I think it is a little ridiculous -- as a student I expect my information to be protected and secure," Jennifer Barrientos, a 22-year-old senior biology major at the university
The university in fall 2007 eliminated use of Social Security numbers as student identification numbers. The university now uses a random numerical system for IDs.
[Evan] Many schools have done this same thing, which is good. The schools understood that they couldn't use Social Security numbers as student IDs and protect the confidentiality of Social Security numbers at the same time. A good follow-up decision would be to identify all places where Social Security numbers are used and destroy them or implement appropriate controls to protect them.
Nelsen said the computer server containing the file had been scanned and purged of sensitive documents, but the archives on the server were not, and that is where the document with the numbers was located.
[Evan] How can you purge the server, but not the archives that were stored on the server?
Nelsen said the employee responsible for scanning the archives will be reprimanded but not terminated.
[Evan] It's likely that the information security related problems at the school are much bigger.
Nelsen said the university will look into hiring outside technology experts to determine what can be done to prevent breaches.
[Evan] Give us a call at FRSecure. We could certainly help to make some significant positive changes at the school (we wouldn't be able to write about the school anymore either).
Commentary:
We haven't covered any of the other three breaches at Texas A&M University - Corpus Christi. There was a breach in September of this year blamed on a "hacker" gaining unauthorized access to a document containing Social Security numbers. We missed this one. The other two breaches occurred prior to the creation of The Breach Blog.
Four breaches gaining public exposure does not speak too well of information security practices at the school. Let's hope that this one is the last for a while.
Past Breaches:
Multiple, est. three others since mid-2007.
Posted by Evan Francen at 11/9/2008 5:55 PM 
Categories: Texas A and M University CC, Employee Mistake
Categories: Texas A and M University CC, Employee Mistake
Posts Atom 1.0
Comments