45 Kansas State students' information sat exposed since 2001
Technorati Tag: Security Breach
Date Reported:
1/30/09
Organization:
Kansas State University
Contractor/Consultant/Branch:
College of Agriculture
Location:
Manhattan, Kansas
Victims:
Students who "were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001"
Number Affected:
45
Types of Data:
"Names, Social Security numbers and grades"
Breach Description:
"Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site."
Reference URL:
Presswire via Comtex and Trading Markets
Kansas City Star
Report Credit:
Kansas State University
Response:
From the online sources cited above:
Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site.
[Evan] This breach is small in terms of the number of people affected, but it gives us a pretty good example of poor information (security) management. This information has been sitting (exposed) on a departmental web server for 7+ years!
The students whose information was affected were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001.
Names, Social Security numbers and grades of those students have been inadvertently exposed since 2001.
University information security staff were made aware of the problem last week.
[Evan] How were information security staff "made aware of the problem"?
All data has been removed from the Web site and steps are being taken to prevent a repeat of this situation.
[Evan] Like what? I would cut the school a little more slack if this wasn't their 3rd breach (that I know of) since November, 2007.
Although there is no evidence that anyone's personal information has been misused by identity thieves, the university is notifying the affected individuals of the situation and the steps they can take to protect themselves.
[Evan] If the information were misused, what evidence would Kansas State have? The information sat on the server for more than seven years without school officials or victims ever knowing. Think about it, if you were a student back in 2001 and you were a victim of identity theft at some point in the last seven years, how would you know that the information was obtained from Kansas State?
In addition to supporting the affected persons, the university continues implementing even more stringent network and server access controls and taking steps to increase faculty and staff awareness of personal information security issues.
[Evan] This all sounds good.
"Most importantly, we want to increase awareness among faculty and staff of the need to be vigilant protecting personal information, including Social Security numbers, in accordance with K-State policy," said Harvard Townsend, chief information security officer.
"We deeply regret this incident," Townsend said. "K-State takes the protection of the personal information of our students very seriously."
K-State has been phasing out the use of Social Security numbers as student identification, beginning with the elimination of these numbers from university ID cards in 2006.
[Evan] Has "phasing out" been completed? Is the process of going through information resources to identify and secure (or destroy) legacy Social Security numbers part of "phasing out"?
With the implementation of a new student system in fall 2008, the university eliminated the Social Security number as the student ID.
Fred Cholick, dean of Agriculture, said personnel in the department of agricultural economics have contacted students involved and will assist with any questions.
Information on preventing identity theft is available at www.k-state.edu/infotech/security/topics/idtheft.html
CONTACT: Allen Featherstone, K-State Tel: +1 e-mail: Cheryl May, K-State Tel: +1 e-mail:
Commentary:
This breach is very similar to one that was announced in November, 2007 at Kansas State (See: "128 international students exposed on K-State web site"). The November, 2007 breach was also a product of a poorly secured departmental web site that went unnoticed for many months. I chalked the November, 2007 breach up to a simple mistake, but here we are again.
Past Breaches:
Kansas State University:
August, 2008 - Documents are stolen from K-State instructor's car
November, 2007 - 128 international students exposed on K-State web site
Date Reported:1/30/09
Organization:
Kansas State University
Contractor/Consultant/Branch:
College of Agriculture
Location:
Manhattan, Kansas
Victims:
Students who "were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001"
Number Affected:
45
Types of Data:
"Names, Social Security numbers and grades"
Breach Description:
"Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site."
Reference URL:
Presswire via Comtex and Trading Markets
Kansas City Star
Report Credit:
Kansas State University
Response:
From the online sources cited above:
Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site.
[Evan] This breach is small in terms of the number of people affected, but it gives us a pretty good example of poor information (security) management. This information has been sitting (exposed) on a departmental web server for 7+ years!
The students whose information was affected were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001.
Names, Social Security numbers and grades of those students have been inadvertently exposed since 2001.
University information security staff were made aware of the problem last week.
[Evan] How were information security staff "made aware of the problem"?
All data has been removed from the Web site and steps are being taken to prevent a repeat of this situation.
[Evan] Like what? I would cut the school a little more slack if this wasn't their 3rd breach (that I know of) since November, 2007.
Although there is no evidence that anyone's personal information has been misused by identity thieves, the university is notifying the affected individuals of the situation and the steps they can take to protect themselves.
[Evan] If the information were misused, what evidence would Kansas State have? The information sat on the server for more than seven years without school officials or victims ever knowing. Think about it, if you were a student back in 2001 and you were a victim of identity theft at some point in the last seven years, how would you know that the information was obtained from Kansas State?
In addition to supporting the affected persons, the university continues implementing even more stringent network and server access controls and taking steps to increase faculty and staff awareness of personal information security issues.
[Evan] This all sounds good.
"Most importantly, we want to increase awareness among faculty and staff of the need to be vigilant protecting personal information, including Social Security numbers, in accordance with K-State policy," said Harvard Townsend, chief information security officer.
"We deeply regret this incident," Townsend said. "K-State takes the protection of the personal information of our students very seriously."
K-State has been phasing out the use of Social Security numbers as student identification, beginning with the elimination of these numbers from university ID cards in 2006.
[Evan] Has "phasing out" been completed? Is the process of going through information resources to identify and secure (or destroy) legacy Social Security numbers part of "phasing out"?
With the implementation of a new student system in fall 2008, the university eliminated the Social Security number as the student ID.
Fred Cholick, dean of Agriculture, said personnel in the department of agricultural economics have contacted students involved and will assist with any questions.
Information on preventing identity theft is available at www.k-state.edu/infotech/security/topics/idtheft.html
CONTACT: Allen Featherstone, K-State Tel: +1 e-mail: Cheryl May, K-State Tel: +1 e-mail:
Commentary:
This breach is very similar to one that was announced in November, 2007 at Kansas State (See: "128 international students exposed on K-State web site"). The November, 2007 breach was also a product of a poorly secured departmental web site that went unnoticed for many months. I chalked the November, 2007 breach up to a simple mistake, but here we are again.
Past Breaches:
Kansas State University:
August, 2008 - Documents are stolen from K-State instructor's car
November, 2007 - 128 international students exposed on K-State web site
Posted by Evan Francen at 2/3/2009 10:18 AM 
Categories: Poor Business Practice, Kansas State University
Categories: Poor Business Practice, Kansas State University
Posts Atom 1.0
Comments