University of Baltimore exposed student identity information for more than three years: auditors (UPDATED)
Jan. 29 – please see update under this post.
Meredith Cohn reports on a breach involving University of Baltimore student data:
The University of Baltimore has added protections to personal student data that officials had left unsecured possibly for years, according to a state audit released this month.
The information on 117,793 students was kept in text form in a database that contained names, addresses, dates of birth and Social Security numbers. The lapse was discovered during a routine audit by the Department of Legislative Services’ Office of Legislative Audits.
Such sensitive personally identifiable information is “commonly associated with identity theft,” read the audit, which covered July 2013 to mid-September 2016. “
Read more on The Baltimore Sun.
Now keep in mind that the University of Baltimore is part of the University System of Maryland. And in December, 2014, the Baltimore Sun reported:
Nearly a year after a massive data breach at the University of Maryland, state auditors say the campus network is still vulnerable to hackers — in part because gaps they identified five years ago remain.
While patching those holes would not have prevented the breach, auditors and university officials said Wednesday, some of the network still lacks proper firewalls or systems to detect intruders or malware.
Thomas Barnickel, an auditor with the state Office of Legislative Audits, said the findings suggest broader issues regarding the network’s protection.
Were those gaps applicable to the University of Baltimore? For how many years has UB been seriously vulnerable?
DataBreaches.net sent an inquiry to the University of Baltimore asking whether students were sent notification letters and/or offered any mitigation services. Because the state’s report did not indicate whether they had assessed or investigated unauthorized access to the student data, our inquiry also included a question as to whether forensic investigation had determined whether any unauthorized IP addresses or individuals had accessed the exposed data. No response has been received from University of Baltimore as of publication time. This post may be updated as more information becomes available.
Update: The U. of Baltimore responded to this site’s inquiries. First and foremost, there was no breach involving the student data. None at all. Although the state’s report did not address that specifically, U. of Baltimore did investigate and found no breach.
The only – or real – issue, according to a university spokesperson, was that the data were in plain text and needed additional security such as encryption. According to the spokesperson:
The issue pointed out in the legislative audit was that data were stored without additional recommended safeguards; adequate safeguards were in place. UB had security in place but needed to add encryption to our capabilities; there was significant concern about slowing the system down so extensive testing was done prior to implementing the
encryption; consequently, the work was in progress when the auditors arrived on campus. We have completed this task per the audit’s recommendation.
So if anything, it sounds like the auditors did their job – they pointed out where the security for the data needed to be hardened by deploying encryption. And the university didn’t dispute that and had already been working on it. It’s a shame that they hadn’t completed it by the time of the audit, as they seem to have gotten bad local press for a situation that many universities still grapple with.