TechHui

Hawaiʻi's Technology Community

Third Major UH Data Breach in One Year


I debated posting this because we have so many great UH faculty members as members, and I don't want this to turn into a bash-fest on the people who were instrumental in helping us grow this community. That being said, it wouldn't be honest for us not to address the issue. Obviously three major security breaches in a year indicates a very serious problem. I'm sure most of you have read the articles, but for those who haven't:

From the Star Advertiser:

Washington, D.C.-based privacy policy institution.


A faculty member at the West Oahu campus apparently inadvertently uploaded personal information of 40,101 students to the Web. The information belongs to students who attended the West Oahu campus from 1988 to 1993, and Manoa students from 1990 to 1998 and in 2001.

The information was posted by a now-retired Institutional Research Office faculty member at 2:46 p.m. Nov. 30, 2009.

Everything from a student's Social Security number and citizenship to the highest level of education attained by parents, marital status and addresses were available online until Oct. 18, when the Liberty Coalition in Washington, D.C., discovered the information through a Google search.

Full Article

The evidence that we have a problem is incontrovertible. Rather than attacking UH, lets figure out how we can help. I've listed some of my ideas below. If you know something about security, please contribute yours.

  1. Independent Audits: UH should undergo an independent SAS 70 Type II Audit. If our schools are going to hold sensitive data about us, we should hold them to the same standards as anyone else who has our credit card information and/or social security data. The criteria for the audit should be established by a panel of IT professionals from the private sector (see 4 below.)
  2. Expand the Authority of the Office of the CIO: To our friends at UH, if I'm wrong feel free to correct me, but I have the impression that many groups within UH skirt the rules established by the CIO. They seem to do this by establishing IT groups internally that do not report into the Information Technology Services department. If you have a computer, the rules should apply to you, and the CIO should have the ability to say you have violated those rules which, in egregious cases, should result in your immediate termination.
  3. Enforce the Rules that Already Exist: UH has a policy that social security numbers should not be used to identify students. If you break this rule, you should be fired immediately.
  4. Create an IT Advisory Board Composed of Private Sector Experts: This group would meet with the CIO quarterly and be available to render advice when needed.

There is no such thing as perfect security for any non-trivial system. That being said, we need to raise the bar considerably. The success of UH is critical to our state, and that success is contingent on students feeling that their personal data is secure.

Views: 173

Comment

You need to be a member of TechHui to add comments!

Join TechHui

Comment by Brian on November 19, 2010 at 6:33am
UH has been sued over the recent breaches.

Gross has filed a class-action lawsuit in federal court, targeting the University of Hawaii, its president, M.R.C. Greenwood, Board of Regents Chairman Howard Karr, and Chief Information Officer David Lassner.
Comment by Brian on November 18, 2010 at 4:21am
Part 1 of their report is here

The letter I received from UH was in line with what their report states. It was misleading and portrayed UH in a more competent light than from what facts have been revealed (It says the information was placed on a server believed to be secure - it glaringly omits the fact that was some cowboyish antic involving home computers - and basically says "sucks to be you".

Reading Mr. Lassner's bio on his site the problem becomes clear - his roles are primarily those of a CTO, not a CIO. They can call him their CIO; but UH's track record indicates otherwise.
Comment by Brian on November 4, 2010 at 12:41am
http://www.hawaiinewsnow.com/Global/story.asp?S=13442825

"He did do that, however he has deleted all of those files. He's confirmed that none of them are with his home computer," said Mielke.

Implies they didn't even seize his computer. What a complete joke.

UH CIO & IT Staff are not doing their job, based on the above article it appears they cannot even conduct an investigation of a spillage correctly.
Comment by Bill on November 3, 2010 at 3:16am
Here is the law (hit previous/next to see the other sections)
Comment by Bill on November 3, 2010 at 3:15am
Phill, Hawaii does have personal information breach law similar to CA but naturally it is not overly punishing to government entities such as UH and state agencies. Why would the state fine itself?

Anyway, yes, (HRS §487N-2) requires prompt notification of victims and a detailed, public report to the legislature. Everyone should read this law (it requires detailed reporting of all systems and processes touching PII, and sets up a new Hawaii State "Information privacy and security council". This requires essentially a thorough self-audit and seems to incorporate people from every branch of government. The goal seems laudable, but I wonder if it is effective. Does anyone know how other states do it, do they have external IT auditors?

Regarding the report to legislature, whenever another UH breach occurs, they are required to incorporate in their breach report "any procedures that have been implemented to prevent the breach from reoccurring"

Examples:

February 2010 breach (scroll to last page)

June 2010 breach (scroll to last page)

Anyone interested in this subject should read the law, and at least the final pages of the UH reports above.
Comment by Bruce M. Bird on November 2, 2010 at 4:13pm
Hi, Dan.

You probably already know about this website: http://www.privacyrights.org/data-breach . It contains some really fascinating --and scary-- stuff involving security breaches from 2005 through the present.

I teach at a university. I think that your approach of finding solutions --rather than casting blame-- is a good one.

In my opinion, a researcher at a university simply should not have access to a database file on his (or her) computer that contains tens of thousands of Social Security Numbers. The subset of employees at any university who have access to Social Security Numbers should be tiny. So, it's probably a good idea for a procedure to be in place for SSNs to be "scrubbed" from any database file prior to it being made available to a researcher.
Comment by Paul Graydon on October 31, 2010 at 8:13am
My use of the terms "university world" and "real world" are born out of personal experience of working in IT in the education environment. I also chat on a daily basis with Sysadmins in universities all around the mainland (mostly members of LOPSA), some of whom have worked in both education and corporate sectors, a number of whom have 20+ years experience in the sector. They will all tell you the exact same thing. The expectations on sysadmins inside a university are far and apart from those in any other industry sector.

The requirements and pressures are different and the infrastructure is almost inevitably a case of organic growth rather than designed growth, in no small part because the budget for a complete or partial overhaul is rarely there.


Just shooting a random early morning thought off:
There ought to be a member of staff, or team, who's responsibility it is to manage and audit all usage of secure and identifying data, with the default position being "deny by default, permit grudgingly". Any request for information that included such secure details ought to be justified.
Comment by Daniel Leuck on October 31, 2010 at 3:58am
Alex: You guys seem to be assuming this is a systemic error. I don't think it is.
Its happened three times in the past year. How can you say its not systemic?
Alex: Let us not get caught up in the lynch mob of modern media (shallow and fast) and suggest solutions when we don't even know the questions. As long as we do not know more, is it a waste of time and effort to suggest solutions.
Why are you assuming my assessment or Aaron's assessment was shallow and fast? What is lynch mob-y about what I wrote in this post? I think it was actually pretty friendly, don't you?
It seems like you are assuming the only information we have is what was contained in a newspaper article and that we don't have any history with UH, neither of which is true.

Alex: I think you are assuming that academic resources are being used at the organizational level. This is very seldom true. It is a complete misnomer that there is a "university world" and a "real world".
I won't touch the last sentence because it would just be, well, counterproductive, but based on the past breaches that is exactly what is happening. The data is being managed by people outside of UH's IT organization - a professor, the parking office, etc.
Comment by Alex on October 31, 2010 at 3:11am
You guys seem to be assuming this is a systemic error. I don't think it is. This is data from an old research study. The article seems to point to one person that posted old sensitive data on a server. There is no excuse for that, and obviously the person should know better, but to say take it from there to now UH needs an advisory council is pretty long. There are so many facets if information left out here, and jumping to these conclusions are way too early.

Let us not get caught up in the lynch mob of modern media (shallow and fast) and suggest solutions when we don't even know the questions. As long as we do not know more, is it a waste of time and effort to suggest solutions. It is purely speculative and a completely useless exercise.

>Dan said: There are plenty of smart people at UH, but people in the commercial space have different skills because they are exposed to different pressures.

I think you are assuming that academic resources are being used at the organizational level. This is very seldom true. It is a complete misnomer that there is a "university world" and a "real world".

So (independent) audit: sure. Advisory council: WAY too early to say.

In addition if UH had been the ones to go the press the articles would probably look a little different. As much as I like and think it is important to police large corporations the way this came about made me a little queasy.
Comment by Daniel Leuck on October 31, 2010 at 12:35am
Phill Moran: Independence of Audit is very important, as is accountability to the standards that you set for the Audit.
I agree. I think the standards should be created by the office of the CIO in cooperation with an advisory board of industry experts. The audit itself should be conducted by an independent party not affiliated with either the university or the expert advisory board.

Sponsors

web design, web development, localization

© 2019   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service