New Math, data breaches version

As a survivor of New Math, it’s somewhat amazing that I’m willing to deal with numbers or math at all. Yet, here I am, with a simple equation as today’s New Math:

UNCC + UN = time for regulation

Simple, elegant, and somewhat nonsensical as a math equation, but two recent education sector breaches do add up to a call for regulation. I’ll start by reviewing some of the highlights – or should I say lowlights – of the two incidents.

The University of North Carolina at Charlotte (UNCC) data breach was disclosed in February, but as reported by the university’s counsel in May, they still weren’t sure they had identified or notified everyone who needed to be notified:

Data were exposed to the Internet, including financial account numbers and approximately 350,000 social security numbers. The exposure has been remedied, and the University is acting to alert people who may have been affected by this exposure. However, because of the size and nature of the incident, the University is unable to determine at this time whether any individual New Hampshire residents were affected…. […]

Due to incorrect access settings, large amounts of electronic data hosted by the University were accessible from the Internet. There were two exposure issues, one affecting general University servers over a period of approximately three months, and another affecting the University’s College of Engineering servers over a decade or more. The University has no reason to believe that any information from these servers was inappropriately accessed or that information was used for identity theft or other crime. These data involved people connected to the University, and included names, addresses, social security numbers, and/or financial account information provided in association with transactions with the University.

How can the university be sure that the data were not accessed? Does it have logs going back a decade that it has reviewed? And how can it have no reason to believe that the breach resulted in fraud or ID theft when no ID theft victim would have had any reason to connect their problems to the UNCC breach until it was disclosed and individuals notified?

And while the university blames its configuration errors, why not also blame the university for storing and retaining so much data on servers connected to the Internet?

Fast forward to the University of Nebraska breach, disclosed last week.  That breach, attributed to a hack,  may have compromised 654,000 records including SSN and over 20,000 bank account numbers. The data on the server goes back to 1985.  Why?

Note that this was not UN’s first large breach.  In November 2010, the Lincoln campus reported that some 300,000 students’ financial data had been exposed on the Internet on the state treasurer’s site. The state, responding to the university’s request to remove the refund data, had noted that the university had been given opportunities to scrub the data before they were posted publicly but that the university had not done so.

Now according to Dissent’s New Math, 350,000 + 654,000 = more than 1 million students, faculty, and parents who have had their SSN and/or bank account information exposed in just two universities’ recently disclosed breaches.  What percent of the hapless students, faculty, and parents could have been spared if the universities did not store so much data on servers connected to the Internet?

I’ll ask again: why hasn’t the U.S. Department of Education or Congress done something about this recurring problem?  And it is recurring.  Here are some other large university breaches involving student information over the past 8 years, in chronological order:

  • A hack of San Diego State University disclosed in March 2004 affected 178,000 (details)
  • A hack of a University of California San Diego database disclosed in May 2004 affected 380,000 (details)
  • A hack of the University of Hawaii disclosed in June 2005 affected 150,000 (details)
  • A hack of a University of Southern Cailfornia database disclosed in July 2005 affected 275,000 (details)
  • A hack of University of Texas databases disclosed in April 2006 affected 197,000 (details)
  • A hack of Western Illinois University disclosed in June 2006  affected 180,000 (details)
  • A hack of a UCLA database disclosed in December 2006 affected 800,000 (details)
  • A hack of Valdosta State University disclosed in February 2010 affected 170,000 (details)
  • Web exposure of University of Nebraska – Lincoln student financial data disclosed in November 2010 affected 300,000 (details)
  • A hack of an Ohio State University database disclosed in December 2010 affected 760,000 (details)
  • A hack of Virginia Commonwealth University disclosed in November 2011 affected 176,567 (details)
  • A hack of an Indiana University database disclosed in January 2012 affected 650,000 (details)
  • Two configuration error breaches at the University of North Carolina at Charlotte disclosed in February 2012 affected 350,000 (details)
  • A hack of University of Nebraska disclosed in May 2012 affected 654,000 (details)

…. and there’s much more.

Note that the number affected per breach does not appear to be systematically decreasing over the years, suggesting that universities are not getting the message or learning important lessons about preventing breaches involving SSN or financial information.

So….. can you hear me NOW?  It’s time to get serious about data retention and sensitive data connected to the Internet in the education sector.

Clip art by Phillip Martin.

About the author: Dissent

Comments are closed.