As many as 53,000 people are affected by University of Hawai'i breach

|

Date Reported:
7/6/10

Organization:
The University of Hawai‘i System

Contractor/Consultant/Branch:
University of Hawai‘i at Manoa

Location:


Victims:
"UH Manoa faculty and staff members employed in 1998, and anyone who had business with the UH Manoa Parking Office between Jan. 1, 1998 and June 30, 2009"

Number Affected:
"approximately 53,000"

Types of Data:
"personal information, including names, social security numbers, addresses, driver’s license numbers, vehicle information and credit card information"

Breach Description:
"The University of Hawai‘i at Manoa today began notifying approximately 53,000 individuals listed in a system database, housed on a computer server used by the Parking Office, that a recent security breach may have exposed personal information—including approximately 40,870 Social Security numbers and 200 credit card numbers."

Reference URL:
UH Manoa News Release
Honolulu Star Advertiser
Pacific Business News

Report Credit:
AMR Corporation via news outlets

Response:
From the online sources cited above:

Some 53,000 people may have had their personal information exposed after a breach to the University of Hawaii computer system was discovered.

The university released a statement Tuesday that more than 40,000 social security numbers and 200 credit card numbers were part of the exposed information that was housed on a computer server used by the Manoa campus parking office.
[Evan] Are you wondering why a "parking office" needs to collect and store Social Security numbers?  I certainly am.

University officials believe that the breach occurred on May 30 and wasn’t discovered until June 15.

Letters were mailed to affected individuals on Saturday, July 3 and an email notice will be sent to the most recent email addresses that the school has on record.

The FBI and Honolulu Police Department are investigating the breach that was discovered on June 15 during a routine audit.
[Evan] This is one of the many reasons why it is a highly recommended practice to regularly audit your information resources and information security controls.  Kudos to UH for following a very good principle.  It stinks that it resulted in the identification of a breach, but how long could the exposure have gone on if it wasn't detected?

The database contained personal information, including names, social security numbers, addresses, driver’s license numbers, vehicle information and credit card information of two main groups of individuals: UH Manoa faculty and staff members employed in 1998, and anyone who had business with the UH Manoa Parking Office between Jan. 1, 1998 and June 30, 2009.
[Evan] Wow, that is a lot of sensitive information for a parking office.  Data going back 12+ years?!

If someone is concerned that their information may have been in that data pool they can call on weekdays between the hours of 8:00 a.m. and 4:30 p.m.

UH Manoa has also posted a list of frequently asked questions and answers on a website http://www.hawaii.edu/idalert/ . The questions and answers are re-printed below:

1. What happened?
A routine audit conducted on June 15, 2010, discovered unauthorized access to a computer server used by the UH Manoa Parking Office had occurred on May 30, 2010.

2. Am I affected?  
Approximately 53,000 records were stored in the database.  Of this total,approximately 41,000 Social Security numbers and 200 credit card numbers were exposed.  The database contained data on two main groups of individuals:

    1.  UH Manoa faculty and staff member employed in 1998.  In addition, faculty and staff employed within the UH system in 1998 and any registered student at UH Manoa in 1998 are included.
    
    2.  Anyone who had business with the UH Manoa Parking Office between January 1, 1998, and June 30, 2009.  This includes:
        a.  Anyone who purchased parking permits, including staff of the East-West Center, UH Foundation and Research Corporation of the University of Hawai„i (RCUH).
        b.  Any campus visitor who had a vehicle towed or appealed a parking citation.
 
3. What information was in the compromised database?
The database contained personal information, including names, Social Security numbers, addresses, driver?s license numbers, vehicle information, and credit card information.   Information on other individuals included their UH identification numbers, which are not sensitive.

4. Has the data been misused?
At this time, UH Manoa has no evidence that personal information was actually accessed, but we also cannot determine with certainty that it was not accessed.

5. Is there an investigation into this incident?
A forensic computer expert has been retained to further investigate this matter.  The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this
incident.
 
6. What is the campus doing to prevent future security breaches?
Social Security numbers are no longer used for parking transactions, and are being purged from all current and historical Parking Office databases.  Additional security measures being taken include strengthening internal
automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.
 
7. How will affected individuals be notified?
Letters to affected individuals were mailed on Saturday, July 3, 2010, and should be received starting on the next business day, Tuesday, July 6.  In addition, an email notice will be sent to affected individuals at their most recent email address on record.
 
8. What should affected individuals know and do?
Carefully monitor your financial information and take protective measures against identity theft, which include:

Obtaining and carefully reviewing credit reports.  Free credit reports from all three credit agencies may be obtained at www.annualcreditreport.com or by calling .

    Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.

    Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of “fraud alert” or “freeze.” Please know that we are making every effort to ensure that this incident does not recur.

Commentary:
This isn't a question of whether or not the information was disclosed; it was.  The key words that support this fact are "unauthorized access", which was discovered and confirmed.  This breach should be significant enough for the Honolulu Police Department and FBI to investigate, so we should learn of additional details in the future.

We know very little about the information security controls that were in place in an attempt to protect this information, and we know very little about how the breach actually occurred.  We can only speculate.

I really come away with the feeling that the University of Hawai'i is pretty forthcoming in their disclosure, which I think is very important to save face.  On a personal note, I would LOVE to help on this investigation (being in my favorite state and all).

Past Breaches:
Unknown

Posted by Evan Francen at 7/9/2010 4:49 PM
Categories: Intrusion, University of Hawai'i System, University of Hawai'i at Manoa
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment