126,000 people affiliated with six Florida schools involved in CCLA breach
|
Date Reported:
8/10/10
Organization:
Broward College
Florida State College at Jacksonville
Northwest Florida State College
Pensacola State College
South Florida Community College
Tallahassee Community College
Contractor/Consultant/Branch:
College Center for Library Automation ("CCLA")*
*Established in 1989, CCLA operates Florida's Library Information Network for Cooperative Content (LINCC) and associated web-based information portal, LINCCWeb. CCLA is a cooperative effort between the Florida Department of Education's Division of Florida Colleges and the College Council of Presidents.
Location:
Online
Victims:
"students, faculty, and staff of six Florida public colleges"
Number Affected:
"As many as 126,000"
Types of Data:
"personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes"*
*CCLA has not defined what personal information was exposed. Section 817.5681(5)(a)-(c), Florida Statutes, states:
For purposes of this section, the term "personal information" means an individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Breach Description:
"On August 10, 2010, CCLA notified students, faculty, and staff of six Florida public colleges that some of their personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, was temporarily open to online access for a five-day period between May 29 and June 2, 2010." The information was inadvertently made available during the installation of a software upgrade
Reference URL:
CCLA "Information About Security Incident"
CCLA Media Release
CCLA Notification e-mail to affected individuals
The Miami Herald
eSecurity Planet
Report Credit:
CCLA
Response:
From the online sources cited above:
August 10, 2010 - Tallahassee, FL
The College Center for Library Automation (CCLA), which provides automated library services and electronic resources to Florida's public colleges, today began informing students, faculty, and staff of six colleges that some of their personal information was inadvertently open to online access between May 29 and June 2, 2010.
[Evan] The breach announcement from CCLA is not specific about what information was exposed, but there have been reports that mention Social Security numbers. If this is true, why does an organization that provides "automated library services and electronic resources" need this type of information?
Importantly, while there is evidence of either viewing by unauthorized persons or search engine posting of some of the personal information, CCLA has found no indication that the data has actually been obtained or misused.
[Evan] Due to the nature of the Internet and HTTP/FTP traffic, if the information was viewed by unauthorized persons, it was actually obtained by unauthorized persons.
The temporarily exposed personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, belongs to perhaps as many as 126,000 individuals at six colleges.
CCLA is notifying the potentially affected individuals in writing, recommending that they place a fraud alert on their credit files to minimize the risk of identity theft, and providing instructions on placing the alert.
CCLA's instructions also include information on reporting any suspected fraudulent activity.
The institutions affected are Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.
The records of these institutions were contained in temporary work files that were being processed by CCLA at the time of the exposure.
"We pride ourselves on protecting private information and deeply regret this inadvertent exposure. I apologize to those involved for any worry or inconvenience this may cause them," said CCLA's Chief Executive Office Richard Madaus.
[Evan] I found the use of the word "pride" interesting. How many times do we see pride lead to a false sense of security?
"As evidenced by our quick response to this incident, CCLA takes the security of personal data very seriously. We will continue to enhance our technology to safeguard all of the information entrusted to us."
CCLA has determined that the installation of a software upgrade left the personal data unintentionally accessible for five days.
[Evan] I can't speak specifically to CCLA's change management procedures, but I do know that good change management procedures should prevent (or at least reduce the likelihood) things like this from happening. Formal change management procedures should account for all resources necessary to complete the change, review by information security personnel, change plans, test plans, etc.
CCLA first learned of the error on June 23, 2010, notified leaders of the colleges affected, initiated a security investigation, and began working with the Leon County Sheriff's Office Financial Crimes Unit.
Investigators discovered that some personal information has been accessed by unauthorized persons and that some was available through Google until the search engine was notified.
All online access to the sensitive information was removed within 18 hours or less of discovery, and no further access is possible.
For more information about this issue, please visit CCLA's Security page at www.cclaflorida.org/security or call .
Selected FAQs:
Who has been potentially affected by this incident?
Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.
Why were these colleges affected?
All libraries maintain records for each user (borrower records), which include personal information. Because CCLA provides library management services to Florida's public colleges, the borrower records for college students, faculty, and staff reside in CCLA's system. These colleges were affected because their borrower records were contained in temporary work files that were being processed by CCLA at the time of exposure.
[Evan] I can understand the need for libraries to maintain certain personal information about patrons, but I question what types of personal information may be required. I am also very concerned with how this information finds itself exposed to the internet. Ideally, confidential information will be stored in a centralized location with very restrictive access controls.
How and when was this issue discovered?
CCLA staff was alerted to this issue on June 23, 2010, when a Florida College System institution advised CCLA that a student reported finding their own personal information embedded in a set of Google search results.
[Evan] Embarrassing.
What actions has CCLA taken to ensure that this kind of incident will not reoccur in the future?
After determining the cause of this issue, CCLA staff immediately took additional steps to ensure the security of all personal data. CCLA staff worked with representatives from Google to ensure that all borrower information was completely removed and that Google no longer had access to any of CCLA's secure servers. All sensitive information was purged from Google by June 24, 2010. CCLA has made every effort to ensure that internally used sites are not accessible by anyone outside of its internal network.
[Evan] This doesn't answer the question! What will CCLA change or improve in order to ensure that this type of incident will not (or be much less likely to) occur again?
Does CCLA have any specific information about who may have accessed the information?
Unfortunately, CCLA is unable to identify the individuals who may have accessed the data or to determine what they may have done with any data that they accessed. There was insufficient evidence to make any determination.
How can I contact CCLA regarding this issue?
Contact CCLA by e-mail at or by telephone at .
Commentary:
This breach didn't result from any criminal action or intent, it was a simple mistake that occurred while conducting routine tasks. Perhaps a thorough change management process would reduce the likelihood of this happening again.
Past Breaches:
Unknown for the seven (7) entities involved
Posted by Evan Francen at 8/22/2010 8:25 AM 
Categories: Tallahassee Community College, Pensacola State College, Employee Mistake, Northwest Florida State College, Broward College, College Center for Library Automation, South Florida Community College, Florida State College at Jacksonville
Categories: Tallahassee Community College, Pensacola State College, Employee Mistake, Northwest Florida State College, Broward College, College Center for Library Automation, South Florida Community College, Florida State College at Jacksonville
Posts Atom 1.0
Comments