Monday, May 28, 2012

Over One Million Records Compromised in a Few Weeks

Is there something in the water?

In the past few weeks we have seen over a million records containing personally identifiable information (PII) compromised in data security breaches at Higher Education institutions nationwide.  These are very high profile and damaging breaches.

First we read about the University of Maine being hacked.  That relatively small breach netter somebody 1175 Social Security Nubmers and 435 payment cards.  However, it was followed almost immediately by news that hackers successfully stole 350,000 personal records from the University of North Carolina at Charlotte.

Now during this Memorial Day weekend, we learn that hackers executed a "sophisticated and skilled attack" on the university's systems to grab 654,000 student and alumni records from the University of Nebraska.  The data in that breach included "Social Security numbers, as well as addresses, grades, transcripts, and housing and financial aid information. The database also includes information for alumni as far back as the spring of 1985, as well as for people who applied to the university but did not attend school there.

I doubt there is any relation between these data breaches except for one thing: the schools kept a lot of PII (sometimes including payment cards) and they didn't protect it adequately.  

The unfortunate part of all these situations is that they were and remain unnecessary.  PCI is not perfect, but it is prescriptive.  That is, it gives you rules for protecting all you confidential information, not just payment cards.  I have no insights into any of the data breaches noted above except what I read (which, of course, is always dangerous).  But I wonder if the controllers, foundation and development departments, and others responsible for the data followed some simple rules to protect the data?  

For example:
  • Did they restrict access to the data to only those staff with a business need-to-know (PCI Requirement 7)?  
  • Did they encrypt the data in the database (Requirement 3)?  
  • Was there an effective firewall separating the database from the Internet (Requirement 1)? 
  • Did all users have strong passwords, and did they use two-factor authentication when accessing the data remotely (Requirement 8)?  
  • And maybe most of all, how effectively were the PII databases segmented from the rest of the university's environment (Requirement "0")?
I don't know if these three breaches are the beginning of a trend.  Hoever, now may be a good time for everyone to look at PCI and what it can do to protect all of your institution's PII and keep you out of the headlines for reasons you really don't want to be there.


  1. "...hackers successfully stole 350,000 personal records from the University of North Carolina at Charlotte..."

    I've read that it wasn't necessarily a hack, but just that the records were unintentionally exposed for up to 15 years. Have you heard differently?

  2. My company is shifting their data security emphasis to monitor 3rd parties. For example: we're constantly sending data to a firm that processes our finances and performs basic accounting/reporting. How do we ensure these 3rd parties aren't mishandling our data? How do we know if Joe Shmoe isn't copying our files, losing/replicating our tapes, or distributing our sensitive information? I'm looking for technologies, software, questionnaires, or some methodology that provides a meaningful assessment or metric that indicates how secure our data is once it leaves our network

    phlebotomy schools north-carolina