University of Florida College of Dentistry notifies more than 330,000 patients
Technorati Tag: Security Breach
Date Reported:
11/12/08
Organization:
University of Florida
Contractor/Consultant/Branch:
College of Dentistry
Location:
Gainesville, Florida
Victims:
Patients
Number Affected:
344,482
Types of Data:
"restricted data, including a combination of names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information"
Breach Description:
"University of Florida officials have notified about 330,000 current and former dental patients that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information."
Reference URL:
University of Florida College of Dentistry
Star-Banner
WRUF Radio
Report Credit:
University of Florida College of Dentistry
Response:
From the online sources cited above:
On October 3, 2008, while upgrading a computer server, UF's College of Dentistry staff discovered evidence that an intruder had accessed that server.
when college staff members were upgrading the server and found software had been remotely installed on it
[Evan] On the one hand, staff members should be commended for finding the unauthorized software. On the other hand, how does a server storing sensitive information come to be compromised remotely? Remote installation of software requires a privileged account. Was the server not patched? Was someone using the server to surf the web? Why wasn't the unauthorized installation detected at the time or shortly thereafter (no host based IDS/IDP)?
When the breach was discovered, IT staff immediately disconnected the server from the Internet to cut off the intruder's access.
[Evan] Do you suppose that the University of Florida has an incident response plan (and procedure)? If so, are all appropriate staff trained?
The server contained some restricted data, including a combination of names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for College of Dentistry patients dating back to 1990.
[Evan] Going back to 1990?! Oy. There should be no reason to store such dated information. No data retention policy?
There is no evidence that the intruder viewed or downloaded any of this information.
[Evan] If the "intruder" had the ability to install unauthorized software remotely, the intruder probably had the ability to remove evidence.
However, it is a possibility the data was obtained.
For this reason, the university mailed letters to 336,234 people who had information on that server so they can take steps to protect themselves from identity theft or other illegal use of their personal information.
There were 8,248 records without mailing addresses; the university is notifying the national media as an attempt to reach those people.
This data security breach is now part of an ongoing investigation by the FBI and the University of Florida Police Department, with full cooperation and support from the university and the College of Dentistry.
Please note that the database contained:
For more information, please visit the UF privacy website at www.privacy.ufl.edu or call our toll-free number: 1-.
The system was subsequently rebuilt with more stringent security controls.
[Evan] Like? Patched? HIDS/HIPS? Strong passwords?
UF officials are in the process of screening up to 60,000 more computers to ensure appropriate safeguards are in place.
Dean of the college of dentistry, Teresa Doland, says that unfortunately they don't know why the intruder wanted these files.
[Evan] Logic might tell you "why the intruder wanted these files."
It's unfortunate that like many large institutions we were targeted.
We work hard to continually fine-tune our security protections, and maintaining our patients' trust and confidence is of utmost importance, said Teresa Dolan, dean of the UF College of Dentistry.
We cannot stress enough how seriously we take this matter. As soon as we learned of this situation, we launched an investigation and implemented additional safeguards designed to protect personal information. We urge patients to take the preventive steps we've outlined, and want to express our dismay at the inconvenience this occurrence may cause anyone.
In recent years, UF has added and strengthened firewalls and intrusion detection systems, encrypted data flows containing sensitive information, and increased vigilance in identifying threats and securing servers.
[Evan] All of these controls are largely technological. Controls are only as good as the people using them.
Despite these efforts, this illegal user was able to gain access to the server, Dolan said.
Commentary:
This is the fourth breach involving the University of Florida in the past year, see below.
Past Breaches:
University of Florida:
November, 2007 - University of Florida student info online
May, 2008 - University of Florida doctor loses job over breach
June, 2008 - University of Florida student information online for years
Date Reported:11/12/08
Organization:
University of Florida
Contractor/Consultant/Branch:
College of Dentistry
Location:
Gainesville, Florida
Victims:
Patients
Number Affected:
344,482
Types of Data:
"restricted data, including a combination of names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information"
Breach Description:
"University of Florida officials have notified about 330,000 current and former dental patients that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information."
Reference URL:
University of Florida College of Dentistry
Star-Banner
WRUF Radio
Report Credit:
University of Florida College of Dentistry
Response:
From the online sources cited above:
On October 3, 2008, while upgrading a computer server, UF's College of Dentistry staff discovered evidence that an intruder had accessed that server.
when college staff members were upgrading the server and found software had been remotely installed on it
[Evan] On the one hand, staff members should be commended for finding the unauthorized software. On the other hand, how does a server storing sensitive information come to be compromised remotely? Remote installation of software requires a privileged account. Was the server not patched? Was someone using the server to surf the web? Why wasn't the unauthorized installation detected at the time or shortly thereafter (no host based IDS/IDP)?
When the breach was discovered, IT staff immediately disconnected the server from the Internet to cut off the intruder's access.
[Evan] Do you suppose that the University of Florida has an incident response plan (and procedure)? If so, are all appropriate staff trained?
The server contained some restricted data, including a combination of names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for College of Dentistry patients dating back to 1990.
[Evan] Going back to 1990?! Oy. There should be no reason to store such dated information. No data retention policy?
There is no evidence that the intruder viewed or downloaded any of this information.
[Evan] If the "intruder" had the ability to install unauthorized software remotely, the intruder probably had the ability to remove evidence.
However, it is a possibility the data was obtained.
For this reason, the university mailed letters to 336,234 people who had information on that server so they can take steps to protect themselves from identity theft or other illegal use of their personal information.
There were 8,248 records without mailing addresses; the university is notifying the national media as an attempt to reach those people.
This data security breach is now part of an ongoing investigation by the FBI and the University of Florida Police Department, with full cooperation and support from the university and the College of Dentistry.
Please note that the database contained:
- No credit card or banking information
- No student record information
- No Human Resources/personnel information
- No UF Foundation information (such as donations to the college or credit card/banking information relating to that)
For more information, please visit the UF privacy website at www.privacy.ufl.edu or call our toll-free number: 1-.
The system was subsequently rebuilt with more stringent security controls.
[Evan] Like? Patched? HIDS/HIPS? Strong passwords?
UF officials are in the process of screening up to 60,000 more computers to ensure appropriate safeguards are in place.
Dean of the college of dentistry, Teresa Doland, says that unfortunately they don't know why the intruder wanted these files.
[Evan] Logic might tell you "why the intruder wanted these files."
It's unfortunate that like many large institutions we were targeted.
We work hard to continually fine-tune our security protections, and maintaining our patients' trust and confidence is of utmost importance, said Teresa Dolan, dean of the UF College of Dentistry.
We cannot stress enough how seriously we take this matter. As soon as we learned of this situation, we launched an investigation and implemented additional safeguards designed to protect personal information. We urge patients to take the preventive steps we've outlined, and want to express our dismay at the inconvenience this occurrence may cause anyone.
In recent years, UF has added and strengthened firewalls and intrusion detection systems, encrypted data flows containing sensitive information, and increased vigilance in identifying threats and securing servers.
[Evan] All of these controls are largely technological. Controls are only as good as the people using them.
Despite these efforts, this illegal user was able to gain access to the server, Dolan said.
Commentary:
This is the fourth breach involving the University of Florida in the past year, see below.
Past Breaches:
University of Florida:
November, 2007 - University of Florida student info online
May, 2008 - University of Florida doctor loses job over breach
June, 2008 - University of Florida student information online for years
Posts Atom 1.0
Comments