Third Major UH Data Breach in One Year

Comment

Comment by Brian on November 19, 2010 at 6:33am

UH has been sued over the recent breaches.

Gross has filed a class-action lawsuit in federal court, targeting the University of Hawaii, its president, M.R.C. Greenwood, Board of Regents Chairman Howard Karr, and Chief Information Officer David Lassner.

Comment by Brian on November 18, 2010 at 4:21am

Part 1 of their report is here

The letter I received from UH was in line with what their report states. It was misleading and portrayed UH in a more competent light than from what facts have been revealed (It says the information was placed on a server believed to be secure - it glaringly omits the fact that was some cowboyish antic involving home computers - and basically says "sucks to be you".

Reading Mr. Lassner's bio on his site the problem becomes clear - his roles are primarily those of a CTO, not a CIO. They can call him their CIO; but UH's track record indicates otherwise.

Comment by Brian on November 4, 2010 at 12:41am

http://www.hawaiinewsnow.com/Global/story.asp?S=13442825

"He did do that, however he has deleted all of those files. He's confirmed that none of them are with his home computer," said Mielke.

Implies they didn't even seize his computer. What a complete joke.

UH CIO & IT Staff are not doing their job, based on the above article it appears they cannot even conduct an investigation of a spillage correctly.

Comment by Bill on November 3, 2010 at 3:16am

Here is the law (hit previous/next to see the other sections)

Comment by Bill on November 3, 2010 at 3:15am

Phill, Hawaii does have personal information breach law similar to CA but naturally it is not overly punishing to government entities such as UH and state agencies. Why would the state fine itself?

Anyway, yes, (HRS §487N-2) requires prompt notification of victims and a detailed, public report to the legislature. Everyone should read this law (it requires detailed reporting of all systems and processes touching PII, and sets up a new Hawaii State "Information privacy and security council". This requires essentially a thorough self-audit and seems to incorporate people from every branch of government. The goal seems laudable, but I wonder if it is effective. Does anyone know how other states do it, do they have external IT auditors?

Regarding the report to legislature, whenever another UH breach occurs, they are required to incorporate in their breach report "any procedures that have been implemented to prevent the breach from reoccurring"

Examples:

February 2010 breach (scroll to last page)

June 2010 breach (scroll to last page)

Anyone interested in this subject should read the law, and at least the final pages of the UH reports above.

Comment by Bruce M. Bird on November 2, 2010 at 4:13pm

Hi, Dan.

You probably already know about this website: http://www.privacyrights.org/data-breach . It contains some really fascinating --and scary-- stuff involving security breaches from 2005 through the present.

I teach at a university. I think that your approach of finding solutions --rather than casting blame-- is a good one.

In my opinion, a researcher at a university simply should not have access to a database file on his (or her) computer that contains tens of thousands of Social Security Numbers. The subset of employees at any university who have access to Social Security Numbers should be tiny. So, it's probably a good idea for a procedure to be in place for SSNs to be "scrubbed" from any database file prior to it being made available to a researcher.

Comment by Paul Graydon on October 31, 2010 at 8:13am

My use of the terms "university world" and "real world" are born out of personal experience of working in IT in the education environment. I also chat on a daily basis with Sysadmins in universities all around the mainland (mostly members of LOPSA), some of whom have worked in both education and corporate sectors, a number of whom have 20+ years experience in the sector. They will all tell you the exact same thing. The expectations on sysadmins inside a university are far and apart from those in any other industry sector.

The requirements and pressures are different and the infrastructure is almost inevitably a case of organic growth rather than designed growth, in no small part because the budget for a complete or partial overhaul is rarely there.


Just shooting a random early morning thought off:
There ought to be a member of staff, or team, who's responsibility it is to manage and audit all usage of secure and identifying data, with the default position being "deny by default, permit grudgingly". Any request for information that included such secure details ought to be justified.

Comment by Daniel Leuck on October 31, 2010 at 3:58am

Alex: You guys seem to be assuming this is a systemic error. I don't think it is.

Its happened three times in the past year. How can you say its not systemic?

Alex: Let us not get caught up in the lynch mob of modern media (shallow and fast) and suggest solutions when we don't even know the questions. As long as we do not know more, is it a waste of time and effort to suggest solutions.

Why are you assuming my assessment or Aaron's assessment was shallow and fast? What is lynch mob-y about what I wrote in this post? I think it was actually pretty friendly, don't you?
It seems like you are assuming the only information we have is what was contained in a newspaper article and that we don't have any history with UH, neither of which is true.

Alex: I think you are assuming that academic resources are being used at the organizational level. This is very seldom true. It is a complete misnomer that there is a "university world" and a "real world".

I won't touch the last sentence because it would just be, well, counterproductive, but based on the past breaches that is exactly what is happening. The data is being managed by people outside of UH's IT organization - a professor, the parking office, etc.

Comment by Alex on October 31, 2010 at 3:11am

You guys seem to be assuming this is a systemic error. I don't think it is. This is data from an old research study. The article seems to point to one person that posted old sensitive data on a server. There is no excuse for that, and obviously the person should know better, but to say take it from there to now UH needs an advisory council is pretty long. There are so many facets if information left out here, and jumping to these conclusions are way too early.

Let us not get caught up in the lynch mob of modern media (shallow and fast) and suggest solutions when we don't even know the questions. As long as we do not know more, is it a waste of time and effort to suggest solutions. It is purely speculative and a completely useless exercise.

>Dan said: There are plenty of smart people at UH, but people in the commercial space have different skills because they are exposed to different pressures.

I think you are assuming that academic resources are being used at the organizational level. This is very seldom true. It is a complete misnomer that there is a "university world" and a "real world".

So (independent) audit: sure. Advisory council: WAY too early to say.

In addition if UH had been the ones to go the press the articles would probably look a little different. As much as I like and think it is important to police large corporations the way this came about made me a little queasy.

Comment by Daniel Leuck on October 31, 2010 at 12:35am

Phill Moran: Independence of Audit is very important, as is accountability to the standards that you set for the Audit.

I agree. I think the standards should be created by the office of the CIO in cooperation with an advisory board of industry experts. The audit itself should be conducted by an independent party not affiliated with either the university or the expert advisory board.

• ‹ Previous
• 1
• 2
• 3
• Next ›
• Page