Many details missing in University of Rochester breach
Technorati Tag: Security Breach
Date Reported:
1/11/09
Organization:
University of Rochester
Contractor/Consultant/Branch:
None
Location:
Rochester, New York
Victims:
Current and former students
Number Affected:
"about 450"
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"Personal information including Social Security numbers of about 450 current and former University of Rochester students was stolen by hackers this week from a UR database."
Reference URL:
University of Rochester Press Release
WHEC-TV Channel 10 News
Rochester Democrat & Chronicle
WXXI News
Report Credit:
University of Rochester
Response:
From the online sources cited above:
The names and Social Security numbers of approximately 450 University of Rochester students and former students were accessed and copied illegally from a non-academic student database in recent weeks.
[Evan] After reading the University of Rochester press release, it seems all I have are questions. What was the purpose of the "non-academic" database and why was it necessary to store Social Security numbers in it?
The University is notifying by e-mail and letter the individuals whose personal information was copied to an off-campus IP address.
The investigation of the incident, which was discovered on the evening of Jan. 7, is continuing.
[Evan] How was the incident discovered?
"We are dedicated to the integrity of our information systems and to reducing the potential for risks of identity theft for our current and former students," said University Provost Ralph Kuncl.
"We have alerted the FBI, the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security. Our network security staff have taken immediate, concrete steps to minimize the chances of this happening again."
[Evan] What steps were taken to minimize the chances of this happening again? We don't even know how the breach took happened in the first place, so what the heck DO we know?
The University will pay for credit protection monitoring and insurance for one year for the individuals affected by the hacking incident.
Exactly when and how personal information was copied from the non-academic student database is under investigation.
This database has been taken off-line.
Sharon Dickman, a spokesperson for the U of R, said, “That's a lot of people and we're concerned about it. We don't know who would have copied them. We don't know why they were done. Our IT people say it was done by another IP address outside the university.”
Inquires about this incident can be made to Sharon Dickman at University Communications at or e-mail .
Commentary:
Nobody seems to know anything about what happened other than the fact that a database containing sensitive information was accessed and copied somewhere offsite. We don't know the purpose of the database. We don't know how the database was accessed. We don't know when the database was accessed. We don't know who accessed the database. We don't know anything about the preventative controls that may have been in place. We don't know how the school became aware of the breach. We don't know what the school has done, or intends to do to prevent future breaches. You get the point? We don't know squat.
The press release was a whole bunch of words telling people little more than nothing. Maybe it's the "we don't want to jeopardize the investigation" argument. Hopefully the letter to the victims is more clear. Victims (information owners) deserve to know more.
Past Breaches:
Unknown
Date Reported:1/11/09
Organization:
University of Rochester
Contractor/Consultant/Branch:
None
Location:
Rochester, New York
Victims:
Current and former students
Number Affected:
"about 450"
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"Personal information including Social Security numbers of about 450 current and former University of Rochester students was stolen by hackers this week from a UR database."
Reference URL:
University of Rochester Press Release
WHEC-TV Channel 10 News
Rochester Democrat & Chronicle
WXXI News
Report Credit:
University of Rochester
Response:
From the online sources cited above:
The names and Social Security numbers of approximately 450 University of Rochester students and former students were accessed and copied illegally from a non-academic student database in recent weeks.
[Evan] After reading the University of Rochester press release, it seems all I have are questions. What was the purpose of the "non-academic" database and why was it necessary to store Social Security numbers in it?
The University is notifying by e-mail and letter the individuals whose personal information was copied to an off-campus IP address.
The investigation of the incident, which was discovered on the evening of Jan. 7, is continuing.
[Evan] How was the incident discovered?
"We are dedicated to the integrity of our information systems and to reducing the potential for risks of identity theft for our current and former students," said University Provost Ralph Kuncl.
"We have alerted the FBI, the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security. Our network security staff have taken immediate, concrete steps to minimize the chances of this happening again."
[Evan] What steps were taken to minimize the chances of this happening again? We don't even know how the breach took happened in the first place, so what the heck DO we know?
The University will pay for credit protection monitoring and insurance for one year for the individuals affected by the hacking incident.
Exactly when and how personal information was copied from the non-academic student database is under investigation.
This database has been taken off-line.
Sharon Dickman, a spokesperson for the U of R, said, “That's a lot of people and we're concerned about it. We don't know who would have copied them. We don't know why they were done. Our IT people say it was done by another IP address outside the university.”
Inquires about this incident can be made to Sharon Dickman at University Communications at or e-mail .
Commentary:
Nobody seems to know anything about what happened other than the fact that a database containing sensitive information was accessed and copied somewhere offsite. We don't know the purpose of the database. We don't know how the database was accessed. We don't know when the database was accessed. We don't know who accessed the database. We don't know anything about the preventative controls that may have been in place. We don't know how the school became aware of the breach. We don't know what the school has done, or intends to do to prevent future breaches. You get the point? We don't know squat.
The press release was a whole bunch of words telling people little more than nothing. Maybe it's the "we don't want to jeopardize the investigation" argument. Hopefully the letter to the victims is more clear. Victims (information owners) deserve to know more.
Past Breaches:
Unknown
Posts Atom 1.0
Comments