In the past few weeks we have seen over a million records containing personally identifiable information (PII) compromised in data security breaches at Higher Education institutions nationwide. These are very high profile and damaging breaches.
First we read about the University of Maine being hacked. That relatively small breach netter somebody 1175 Social Security Nubmers and 435 payment cards. However, it was followed almost immediately by news that hackers successfully stole 350,000 personal records from the University of North Carolina at Charlotte.
Now during this Memorial Day weekend, we learn that hackers executed a "sophisticated and skilled attack" on the university's systems to grab 654,000 student and alumni records from the University of Nebraska. The data in that breach included "Social Security numbers, as well as addresses, grades, transcripts, and housing and financial aid information. The database also includes information for alumni as far back as the spring of 1985, as well as for people who applied to the university but did not attend school there.
I doubt there is any relation between these data breaches except for one thing: the schools kept a lot of PII (sometimes including payment cards) and they didn't protect it adequately.
The unfortunate part of all these situations is that they were and remain unnecessary. PCI is not perfect, but it is prescriptive. That is, it gives you rules for protecting all you confidential information, not just payment cards. I have no insights into any of the data breaches noted above except what I read (which, of course, is always dangerous). But I wonder if the controllers, foundation and development departments, and others responsible for the data followed some simple rules to protect the data?
For example:
- Did they restrict access to the data to only those staff with a business need-to-know (PCI Requirement 7)?
- Did they encrypt the data in the database (Requirement 3)?
- Was there an effective firewall separating the database from the Internet (Requirement 1)?
- Did all users have strong passwords, and did they use two-factor authentication when accessing the data remotely (Requirement 8)?
- And maybe most of all, how effectively were the PII databases segmented from the rest of the university's environment (Requirement "0")?