Cal Poly Ponoma to notify 675 of breach
Technorati Tag: Security Breach
Date Reported:
12/3/08
Organization:
California State Polytechnic University, Pomona ("Cal Poly Pomona")
Contractor/Consultant/Branch:
None
Location:
Pomona, California
Victims:
Applicants from 2001
Number Affected:
675
Types of Data:
"names, addresses, phone numbers and Social Security numbers"
Breach Description:
"POMONA, Calif.—Cal Poly Pomona has apologized for an error that made the personal information of nearly 700 people available on the Internet."
Reference URL:
Pasadena Star-News
San Bernardino Sun
The Mercury News
Report Credit:
Pasadena Star-News
Response:
From the online sources cited above:
POMONA, Calif.—Cal Poly Pomona has apologized for an error that made the personal information of nearly 700 people available on the Internet.
A former Cal Poly student came across the Excel file with his personal information when he researched himself on Google.
[Evan] Maybe it's just me, but if I am responsible for the information security program (of a company or other organization) and I am notified of a breach by someone in the user community, it adds to a sense of embarrassment. I would be lying if I said it hasn't happened to me.
He told university officials on Nov. 17, and they immediately looked into the incident, Brum said.
An investigation found that an Excel file had inadvertently been released with the addresses, Social Security numbers and other information on 675 people who applied to the school in 2001.
[Evan] Only recently has information security gained enough visibility and awareness to garner news headlines. It's unfortunate that so many breaches and other bad things have to happen before people stop and listen. Back in 2001, it seems like the only people aware of information security risks and benefits were the practitioners. As a practitioner myself, if I were to subjectively rate how far we've come in terms of how far we need to go, I would say that we are 20% there. I am an optimist.
Cal Poly official Debra Brum says the information was mistakenly placed in a computer folder that could be publicly accessed.
It's unclear how long the data was public.
[Evan] This is a cause for concern. A good forensic analysis might shed some light.
"At some point, it was permitted to the public, but we don't know when or how," Brum said.
The file was originally stored on an old server scheduled for replacement in 2009, according to a Cal Poly news release.
The school has removed the information from the Web and is notifying the former applicants.
[Evan] I hope that Google, Yahoo, MSN Search and other search engine caches have been purged also.
officials said they had notified about 90 percent of the applicants and were working to contact the rest.
"It's a very unusual occurrence," said Debra Brum, the university's vice president for instructional and information technology and chief technology officer. "We so deeply regret that this happened."
[Evan] It is NOT very unusual. Thinking so might be dangerous.
The university is also in the process of bringing all of its computers and servers up to a higher level of security
[Evan] If a "higher level of security" is required in order to bring risks into alignment with what is acceptable to the university, then fine. This is an ongoing process of refinement.
"A very small number of university people have access to Social Security numbers, and they are carefully trained," Brum said.
Commentary:
It is a little unnerving that the university has no idea how long the information was publicly accessible or how many others may have accessed it.
Past Breaches:
Unknown
Date Reported:12/3/08
Organization:
California State Polytechnic University, Pomona ("Cal Poly Pomona")
Contractor/Consultant/Branch:
None
Location:
Pomona, California
Victims:
Applicants from 2001
Number Affected:
675
Types of Data:
"names, addresses, phone numbers and Social Security numbers"
Breach Description:
"POMONA, Calif.—Cal Poly Pomona has apologized for an error that made the personal information of nearly 700 people available on the Internet."
Reference URL:
Pasadena Star-News
San Bernardino Sun
The Mercury News
Report Credit:
Pasadena Star-News
Response:
From the online sources cited above:
POMONA, Calif.—Cal Poly Pomona has apologized for an error that made the personal information of nearly 700 people available on the Internet.
A former Cal Poly student came across the Excel file with his personal information when he researched himself on Google.
[Evan] Maybe it's just me, but if I am responsible for the information security program (of a company or other organization) and I am notified of a breach by someone in the user community, it adds to a sense of embarrassment. I would be lying if I said it hasn't happened to me.
He told university officials on Nov. 17, and they immediately looked into the incident, Brum said.
An investigation found that an Excel file had inadvertently been released with the addresses, Social Security numbers and other information on 675 people who applied to the school in 2001.
[Evan] Only recently has information security gained enough visibility and awareness to garner news headlines. It's unfortunate that so many breaches and other bad things have to happen before people stop and listen. Back in 2001, it seems like the only people aware of information security risks and benefits were the practitioners. As a practitioner myself, if I were to subjectively rate how far we've come in terms of how far we need to go, I would say that we are 20% there. I am an optimist.
Cal Poly official Debra Brum says the information was mistakenly placed in a computer folder that could be publicly accessed.
It's unclear how long the data was public.
[Evan] This is a cause for concern. A good forensic analysis might shed some light.
"At some point, it was permitted to the public, but we don't know when or how," Brum said.
The file was originally stored on an old server scheduled for replacement in 2009, according to a Cal Poly news release.
The school has removed the information from the Web and is notifying the former applicants.
[Evan] I hope that Google, Yahoo, MSN Search and other search engine caches have been purged also.
officials said they had notified about 90 percent of the applicants and were working to contact the rest.
"It's a very unusual occurrence," said Debra Brum, the university's vice president for instructional and information technology and chief technology officer. "We so deeply regret that this happened."
[Evan] It is NOT very unusual. Thinking so might be dangerous.
The university is also in the process of bringing all of its computers and servers up to a higher level of security
[Evan] If a "higher level of security" is required in order to bring risks into alignment with what is acceptable to the university, then fine. This is an ongoing process of refinement.
"A very small number of university people have access to Social Security numbers, and they are carefully trained," Brum said.
Commentary:
It is a little unnerving that the university has no idea how long the information was publicly accessible or how many others may have accessed it.
Past Breaches:
Unknown
Posts Atom 1.0
Say Evan, Where could I go to school in the Memphis area and about how many semester hour or quarter hours would it take for me to be reach your level of IT security knowledge-if this kind of knowledge is taught in Tennessee. Is there any on line program than is not designed for those who are into "affirmative action" that goes further than see dick run? When I studied programming, it was Cobal and Fortran and was performed on keypunch machines in the early 70's. I was 16 and using the biggest computer in Tennessee, (except what the government probably had at Oak Ridge)at Memphis State (I forget, U of M) on those old reel to reel computers that take up a whole room. My present phone is more powerful that monster was. I do not like it when people know more about things than me (weird problem to have considering the amount of knowledge mankind possesses these days) and it is obvious to me that I could not even carry on a conversation with you about anything other than concepts.
Reply to this
Hey Charles,
Great questions! I should be more prepared to answer these questions.
I am not too familiar with the Memphis area, so it's difficult for me to recommend a specific school there. There are a few good online courses that you could explore. The best way for me to share how reach my level of IT security knowledge would be to share my past a little.
I came up through the ranks and it took me ~15 years to get where I am today. I started on a small help desk back in 1993 (out of college), moved on to systems administration (primarily Windows NT 3.5 and 4.0 and Novell), then on to network administration/engineering (primarily Cisco), then consulting and information security. I have always had an interest in the field and always tinkered since I was a kid. I have been formally dedicated to the information security field since 2000 and have thousands of experiences, consulted hundreds of people, built information security programs from scratch for private and public companies, etc. I learn something new everyday, in every engagement. Over the years and I have loved almost every minute of it. I regularly read, attend seminars, and fully understand that there is ALWAYS more to learn.
My advice for you is to find a passion for it and read everything you can about the subject. Some people learn differently than others. Personally, I am more comfortable in a self-taught environment. I enjoy personal discovery. Start with introductory books that get across the basics and concepts first. Once you have a solid base, start exploring more specialized information security knowledge. After a while it almost seems like most of it becomes common sense. A person teaching a class is either teaching from a text book (based on other people's experience), teaching from personal experience, or both. I learn best from my own experiences.
I have also had the pleasure of mentoring information security professionals, some of which have gone on to make significant contributions to the companies they work for. I hope I answered your questions. Let's continue this conversation. Email me directly. It may take some time for me to respond, but eventually I will. So many emails, so little time.
I appreciate your comments and questions more than you know.
Evan
Reply to this