University of North Carolina School of Arts blames P2P for breach
Technorati Tag: Security Breach
Date Reported:
12/19/08
Organization:
University of North Carolina School of Arts ("UNCSA")
Contractor/Consultant/Branch:
None
Location:
Winston-Salem, North Carolina
Victims:
"students who were enrolled at UNCSA from July 2003 to May 2006"
Number Affected:
2,701
Types of Data:
Names and Social Security numbers
Breach Description:
"WINSTON-SALEM - The University of North Carolina School of the Arts (UNCSA) is notifying some current and former students that their names and Social Security numbers may have been accidentally exposed in a security breach involving a university computer server."
Reference URL:
UNCSA Press Release
UNCSA Incident Website
Winston-Salem Journal
Report Credit:
The University of North Carolina School of Arts ("UNCSA")
Response:
From the online sources cited above:
WINSTON-SALEM - The University of North Carolina School of the Arts (UNCSA) is notifying some current and former students that their names and Social Security numbers may have been accidentally exposed in a security breach involving a university computer server.
Approximately 2,700 individuals who were enrolled at UNCSA from 2003 to 2006, including summer session students, are being notified.
2,701 students and former students. They include students who were enrolled during regular year terms and summer sessions. 256 are currently enrolled students.
"We have no reason to believe that the personal information was stolen, used inappropriately or even accessed," said Lisa Smith, chief information officer at UNCSA. "However, we are notifying the affected parties so they might take steps to monitor their credit to ensure their identities have not been stolen."
Information Technologies believes the student email server was compromised in the spring of 2006 and a file with sensitive student data (names and Social Security numbers) was inadvertently copied to a machine on a peer-to-peer network.
[Evan] This language is a little confusing to me. It appears as though a P2P application was installed on an email server! Servers should generally not be used for client applications, i.e. P2P, internet browsing, etc. Once confidential information finds its way onto a P2P network, how do you know where it has been distributed with certainty?
The file containing the names and Social Security numbers did not identify UNCSA.
[Evan] So?
"We are continuing to attempt to discover how the file was compromised," said CIO Smith. "There is no indication it was a targeted, malicious act."
As soon as the security breach was discovered, UNCSA launched an investigation - assisted by its own internal auditor, police department, and the State Bureau of Investigation - of the affected computer and system.
IT staff have closely examined the server and verified that no malware currently exists on the system.
[Evan] Can an admin be classified as malware? Human malware?
Tests are being conducted to be certain that this kind of information cannot be accessed in the future.
[Evan] "Tests" should be conducted on a regular basis in all information security programs and all organizations need information security programs, thus all organizations should be conducting tests. "Tests" include penetration tests, information security assessments, risk assessments and the like, regardless of a breach.
During the summer of 2006, UNCSA discontinued use of Social Security numbers for student identification and replaced them with 8-digit identification numbers to enhance the security of personal data.
"We deeply regret this breach occurred and take our responsibilities for safeguarding student data very seriously," Smith added. "We are using best practices to ensure that the data is no longer accessible, and to enhance our security protocols."
[Evan] Unfortunately one organization's understanding of "best practices" differs from another organization's understanding. What "best practices" do you suppose UNCSA is employing?
UNCSA officials are also working with the Consumer Protection Division of N.C. Attorney General's Office and University of North Carolina General Administration to ensure that all appropriate steps are taken to respond to the incident.
In addition, UNCSA has established a website, www.uncsa.edu/incident, and a telephone hotline to answer questions about the incident.
The hotline number is 1-, and will be answered from 9 a.m. to 5 p.m. weekdays.
Please note, that the school will be closed for the holiday break Dec. 24-Jan. 1; however, the hotline will be staffed during this period with the exception of Dec. 24, 25, and Jan. 1.
[Evan] Yeah, who wants to pay time and a half (or double-time)?
UNCSA was notified of the breach only last week during a scan of a peer-to-peer network. The company that discovered the breach does peer-to-peer monitoring for government entities and companies worldwide.
[Evan] I have to wonder. Rian?
Commentary:
Even though I pick it apart (as usual), I do like UNCSA's response to this breach.
If UNCSA had conducted regular "tests" of their information security controls, it is likely that they would have found this P2P installation themselves or prevented the installation altogether. If P2P cannot be controlled in an organization AND/OR
there is no business case for its use, then its use should be prohibited. Makes sense, doesn't it?
Past Breaches:
None
Date Reported:12/19/08
Organization:
University of North Carolina School of Arts ("UNCSA")
Contractor/Consultant/Branch:
None
Location:
Winston-Salem, North Carolina
Victims:
"students who were enrolled at UNCSA from July 2003 to May 2006"
Number Affected:
2,701
Types of Data:
Names and Social Security numbers
Breach Description:
"WINSTON-SALEM - The University of North Carolina School of the Arts (UNCSA) is notifying some current and former students that their names and Social Security numbers may have been accidentally exposed in a security breach involving a university computer server."
Reference URL:
UNCSA Press Release
UNCSA Incident Website
Winston-Salem Journal
Report Credit:
The University of North Carolina School of Arts ("UNCSA")
Response:
From the online sources cited above:
WINSTON-SALEM - The University of North Carolina School of the Arts (UNCSA) is notifying some current and former students that their names and Social Security numbers may have been accidentally exposed in a security breach involving a university computer server.
Approximately 2,700 individuals who were enrolled at UNCSA from 2003 to 2006, including summer session students, are being notified.
2,701 students and former students. They include students who were enrolled during regular year terms and summer sessions. 256 are currently enrolled students.
"We have no reason to believe that the personal information was stolen, used inappropriately or even accessed," said Lisa Smith, chief information officer at UNCSA. "However, we are notifying the affected parties so they might take steps to monitor their credit to ensure their identities have not been stolen."
Information Technologies believes the student email server was compromised in the spring of 2006 and a file with sensitive student data (names and Social Security numbers) was inadvertently copied to a machine on a peer-to-peer network.
[Evan] This language is a little confusing to me. It appears as though a P2P application was installed on an email server! Servers should generally not be used for client applications, i.e. P2P, internet browsing, etc. Once confidential information finds its way onto a P2P network, how do you know where it has been distributed with certainty?
The file containing the names and Social Security numbers did not identify UNCSA.
[Evan] So?
"We are continuing to attempt to discover how the file was compromised," said CIO Smith. "There is no indication it was a targeted, malicious act."
As soon as the security breach was discovered, UNCSA launched an investigation - assisted by its own internal auditor, police department, and the State Bureau of Investigation - of the affected computer and system.
IT staff have closely examined the server and verified that no malware currently exists on the system.
[Evan] Can an admin be classified as malware? Human malware?
Tests are being conducted to be certain that this kind of information cannot be accessed in the future.
[Evan] "Tests" should be conducted on a regular basis in all information security programs and all organizations need information security programs, thus all organizations should be conducting tests. "Tests" include penetration tests, information security assessments, risk assessments and the like, regardless of a breach.
During the summer of 2006, UNCSA discontinued use of Social Security numbers for student identification and replaced them with 8-digit identification numbers to enhance the security of personal data.
"We deeply regret this breach occurred and take our responsibilities for safeguarding student data very seriously," Smith added. "We are using best practices to ensure that the data is no longer accessible, and to enhance our security protocols."
[Evan] Unfortunately one organization's understanding of "best practices" differs from another organization's understanding. What "best practices" do you suppose UNCSA is employing?
UNCSA officials are also working with the Consumer Protection Division of N.C. Attorney General's Office and University of North Carolina General Administration to ensure that all appropriate steps are taken to respond to the incident.
In addition, UNCSA has established a website, www.uncsa.edu/incident, and a telephone hotline to answer questions about the incident.
The hotline number is 1-, and will be answered from 9 a.m. to 5 p.m. weekdays.
Please note, that the school will be closed for the holiday break Dec. 24-Jan. 1; however, the hotline will be staffed during this period with the exception of Dec. 24, 25, and Jan. 1.
[Evan] Yeah, who wants to pay time and a half (or double-time)?
UNCSA was notified of the breach only last week during a scan of a peer-to-peer network. The company that discovered the breach does peer-to-peer monitoring for government entities and companies worldwide.
[Evan] I have to wonder. Rian?
Commentary:
Even though I pick it apart (as usual), I do like UNCSA's response to this breach.
If UNCSA had conducted regular "tests" of their information security controls, it is likely that they would have found this P2P installation themselves or prevented the installation altogether. If P2P cannot be controlled in an organization AND/OR
Past Breaches:
None
Posts Atom 1.0
Comments