Third Major UH Data Breach in One Year

Comment

Comment by Daniel Leuck on October 30, 2010 at 10:04pm

Alex - I forgot to mention that it would have ended up in the paper regardless of whether or not Liberty disclosed the information. The moment Aaron notified the university they were bound by state law to report it to the individuals involved "without unreasonable delay". The same law requires that if you can't reach the people affected you have to post the information on the web, notify Hawaii's office of consumer protection and major statewide media.

Comment by Daniel Leuck on October 30, 2010 at 9:37pm

Alex: I'm not sure if 4;. (Advisory board is the right way to go. It seems to me that they will only increase the already cumbersome system at UH.

I'm willing to bet it would make things more efficient and less cumbersome. There are plenty of smart people at UH, but people in the commercial space have different skills because they are exposed to different pressures. It could also help the UH IT folks sell the higher ups on good ideas - "We want to do X type of audit or implement system Y because we think it will make our systems more secure and the top industry experts in our state agree." The state's IT people would also benefit from such a group.

Alex: 1. Upper level management often have very little knowledge and understanding of IT...IT is often looked upon as a cost center and something that should be cut to the bone (another university I went to the president were well known for not having a computer or email), and thus the IT budgets are laughably small. If you don't have the money you can't make the systems. The best advisory boards in the world will not help that.

I strongly disagree. Being able to say, "Industry experts in our state agree with our recommendation to implement X in order to make our system more secure." would help immensely in terms of persuading upper management. I've seen this dynamic with advisory boards and consultants in corporate settings many times.

Alex: That said, and of course not as an excuse to what happened at UH I do wonder how this ended up in the newspapers?

It was made public knowledge by National ID Watch, a service of the Liberty Coalition, when Aaron Titus discovered the problem. That is what they do.

Alex: No surprise that the information in the newspaper is lacking critical information. My point..there is way way way too little information to say anything about what happened and about what UH should or should not do.

Aaron has been working with UH on this for over a week. He has plenty of information. I just spent an hour talking to him about it. I've done business with the university at multiple companies going back over a decade and I've talked to many people inside the system.

Two things I want to point out:
1. I'm not bashing UH. I like UH, I like a ton of people at UH, and I want the school to do well. I bring up these issues in the interest of helping the system.
2. These issues are not unique to UH. Aaron wrote a good post about the challenges at universities in general.

re: Bill's post below - Excellent points. I agree completely.

Comment by Bill on October 30, 2010 at 8:04pm

Wow, great discussion here. As Dan mentions, at UH we need more of a top-down structured system of accountability in IT going up to the CIO rather than disconnected IT groups. This might be why 9 years have gone by in UH's efforts to get rid of SSN's but little progress has been made.

We know that today over 50% of vulnerabilities are in webapps, something that escapes attention of traditional security practice. UH needs to emulate many organizations by putting in place a C&A (certification and accreditation) process for webapps and more experienced oversight of anyone involved in deploying networks or applications.

I agree with Alex about the funding issues, but that would be a poor excuse to take a decade to purge SSN's from university systems. It is not expensive to run the contents of a drive through a REGEX expression to identify SSN's. It is not expensive to use existing UH ID's rather than SSN's. UH has plenty of unionized state workers sitting, waiting for work to do. This would be a wonderful project for them.

The technical issues are relatively simple. This all comes back to the administrative problems - you have many layers of managers, assistant directors, directors, and vice chancellors between the IT people running most of UH infrastructure, and the main IT group the CIO is with. So regardless the wonderful policies promulgated by the university, it is difficult for the CIO to get visibility to these independently operating pockets of IT people and actually verify that policy is being followed. No matter how good the CIO is, he has an uphill battle to overcome organizational inertia at all those levels and affect change.

Comment by Alex on October 30, 2010 at 7:13pm

I'm not sure if 4;. (Advisory board is the right way to go. It seems to me that they will only increase the already cumbersome system at UH. I think in University settings (in general) there are two major issues that a CIO is working against. 1. Upper level management often have very little knowledge and understanding of IT...IT is often looked upon as a cost center and something that should be cut to the bone (another university I went to the president were well known for not having a computer or email), and thus the IT budgets are laughably small. If you don't have the money you can't make the systems. The best advisory boards in the world will not help that.

Secondly this seems to be very very avoidable by simple and basic understanding of what constitutes sensitive data. I am not sure what "apparently inadvertently uploaded personal information" means, but ANYONE that have access to data can do this. The worlds best system will not be able to cripple stupidity.

That said, and of course not as an excuse to what happened at UH I do wonder how this ended up in the newspapers?

No surprise that the information in the newspaper is lacking critical information. My point..there is way way way too little information to say anything about what happened and about what UH should or should not do.

Comment by Daniel Leuck on October 30, 2010 at 5:58pm

I just got off an hour long conversation with Aaron Titus, the gentlemen commenting below who discovered the breach. He is an interesting guy with an interesting background - testified before congress, advised the military on security matters, got into a spate with Joe Lieberman regarding the constitutionality of his bill, etc. He is clearly passionate and well informed about the technical and legal aspects of data security.

Given the fact Aaron is a privacy specialist who has worked with dozens of universities, his assessment that we are 3-4 years behind is very likely accurate. I was happy to hear that UH immediately involved him in the investigation. Apparently he often gets less friendly reactions :-)

I hope we see real changes in the structure of UH and not, as Aaron puts it, "security breach theater."

Comment by Johnson Choi on October 30, 2010 at 5:18pm

Jun 22, 2010 The Hospital Authority in Hong Kong announced two data breach incidents. The breaches could have been easily avoided by following proper procedures and using information security software such as drive encryption software from AlertBoot http://www.alertboot.com/ which is a USA Company located at.3565 Las Vegas Blvd South, Suite 162 Las Vegas, NV 89109 U.S.A. Main Phone: +1.212.754.4300 Main Fax: 646.862.3790

Comment by Brian on October 30, 2010 at 5:14pm

Just to add - though I do agree with Aaron's comments that instituting a security culture is a longer term process that cannot simply be accomplished by a few firings and hirings. That said, given the severity, escalation, and continuing nature of these breaches (which are only the ones that have been publicized) - it is pretty clear that for whatever reason the current system is not working and needs to be substantially restructured.

Not in the sense of security theatre so we can be 'seen to be doing things', but rather this needs to be made a real priority and real actions need to be taken - it does not seem that is occurring at a reasonable pace. Given this is the third major breach in about as many years and it was not detected internally, it seems abdundantly clear the current staff is not up to the task. It does not take years to do basic things like sweep your own IT systems.

Comment by Brian on October 30, 2010 at 5:08pm

I used to be one of those student sysadmins at UH and while I appreciate Aaron's comments - I disagree. Heads do need to roll. While my information is about 10 years old, I doubt things have changed substantially. The IT department there was disconnected and ineffectual. They are state employees that are not up to par in terms of industry standards and should be flushed.

Comment by Aaron Titus on October 30, 2010 at 4:51pm

Oh, and Paul... your wife can go to nationalidwatch.org and search for her name to find out whether she was affected. The University help desk will also be using nationalidwatch.org to answer questions from people who call in.

Comment by Aaron Titus on October 30, 2010 at 4:49pm

Hey, all. This is Aaron Titus, Privacy Director for the Liberty Coalition. I discovered the UH breach (as well as more than 100 others). Daniel suggested I chime in. I'm happy to answer any questions about the investigation I can.

I can make a few general statements. First, I was disappointed with what I saw of the security environment at UH. Second, UH's security environment seems to be typical, or perhaps 3-4 years behind the average university I've worked with. A while ago I wrote an article about some of the reasons that University security is so lacking, from a systemic perspective. Not much has changed from that perspective.

The method of breach is extremely typical of the breaches I cover; only the size is atypically large. Breaches like this tend to fall into one or two patterns: 1. The 10-year-old backed-up, backed-up, copied, backed-up hard drive which contains SSNs that I forgot about, which I then back up to my university web space; or 2. The I-didn't-realize-that-the-server-wasn't-secure-because-after-all,-I-had-to-enter-my-username-and-password-to-upload-files breach. This one had flavors of both.

But I don't think that letting heads roll is a real solution. Firing people is too often a form of security theater, which is the worst kind because it is false. Part of me is really glad that the faculty member is already retired, because it means he won't take the fall, when the entire University system is to blame. Creating a culture of privacy and security takes a long time, and is not just an IT department issue, or a matter of simple education (as everyone here already knows).

I'm going to be holding a press/victims conference call on Wednesday (details at nationalidwatch.org), to answer questions from alumni, the press, and anyone else. I think there's a good chance that I can get the University to attend, also. In any case, I've invited them.

On a personal note, it will be nice when this thing dies down. I live in DC, and I've been on Hawaii time for the past couple of weeks. It makes for REALLY long nights. Let me know if you have any questions.

BTW- this javascript editor doesn't seem to work in Firefox. I have to log in using IE. Blah...

• ‹ Previous
• 1
• 2
• 3
• Next ›
• Page